Preview of Senate Democratic Chairs

It’s not clear who will end up where, but new Senate chairs will change focus and agenda of committees and debate over the next two years.

With the victories of Senators-elect Rafael Warnock (D-GA) and Jon Ossoff (D-GA), control of the United States Senate will tip to the Democrats once Vice President-elect Kamala Harris (D) is sworn in and can break the 50-50 tie in the chamber in favor of the Democrats. With the shift in control, new chairs will take over committees key to setting the agenda over the next two years in the Senate. However, given the filibuster, and the fact that Senate Republicans will exert maximum leverage through its continued use, Democrats will be hamstrung and forced to work with Republicans on matters such as federal privacy legislation, artificial intelligence (AI), the Internet of Things (IOT), cybersecurity, data flows, surveillance, etc. just as Republicans have had to work with Democrats over the six years they controlled the chamber. Having said that, Democrats will be in a stronger position than they had been and will have the power to set the agenda in committee hearings, being empowered to call the lion’s share of witnesses and to control the floor agenda. What’s more, Democrats will be poised to confirm President-elect Joe Biden’s nominees at agencies like the Federal Communications Commission (FCC), Federal Trade Commission (FTC), the Department of Justice (DOJ), and others, giving the Biden Administration a free hand in many areas of technology policy.

All of that being said, this is not meant to be an exhaustive look at all the committees of jurisdiction and possible chairs. Rather, it seeks to survey likely chairs on selected committees and some of their priorities for the next two years. Subcommittee chairs will also be important, but until the cards get shuffled among the chairs, it will not be possible to see where they land at the subcommittee level.

When considering the possible Democratic chairs of committees, one must keep in mind it is often a matter of musical chairs with the most senior members getting first choice. And so, with Senator Patrick Leahy (D-VT) as the senior-most Democratic Senator, he may well choose to leave the Appropriations Committee and move back to assume the gavel of the Judiciary Committee. Leahy has long been a stakeholder on antitrust, data security, privacy, and surveillance legislation and would be in a position to influence what bills on those and other matters before the Senate look like. If Leahy does not move to the chair on Judiciary, he may still be entitled to chair a subcommittee and exert influence.

If Leahy stays put, then current Senate Minority Whip Dick Durbin (D-IL) would be poised to leapfrog Senator Dianne Feinstein (D-CA) to chair Judiciary after Feinstein was persuaded to step aside on account of her lackluster performance in a number of high-profile hearings in 2020. Durbin has also been active on privacy, data security, and surveillance issues. The Judiciary Committee will be central to a number of technology policies, including Foreign Intelligence Surveillance Act reauthorization, privacy legislation, Section 230 reform, antitrust, and others. On the Republican side of the dais, Senator Lindsey Graham (R-SC) leaving the top post because of term limit restrictions imposed by Republicans, and Senator Charles Grassley (R-IA) is set to replace him. How this changes the 47 USC 230 (Section 230) debate is not immediately clear. And yet, Grassley and three colleagues recently urged the Trump Administration in a letter to omit language in a trade agreement with the United Kingdom (UK) that mirrors the liability protection Section 230. Senators Rob Portman (R-OH), Mark R. Warner (D-VA), Richard Blumenthal (D-CT), and Grassley argued to U.S. Trade Representative Ambassador Robert Lighthizer that a “safe harbor” like the one provided to technology companies for hosting or moderating third party content is outdated, not needed in a free trade agreement, contrary to the will of both the Congress and UK Parliament, and likely to be changed legislatively in the near future. It is likely, however, Grassley will fall in with other Republicans propagating the narrative that social media is unfairly biased against conservatives, particularly in light of the recent purge of President Donald Trump for his many, repeated violations of policy.

The Senate Judiciary Committee will be central in any policy discussions of antitrust and anticompetition in the technology realm. But it bears note the filibuster (and the very low chances Senate Democrats would “go nuclear” and remove all vestiges of the functional supermajority requirement to pass legislation) will give Republicans leverage to block some of the more ambitious reforms Democrats might like to enact (e.g. the House Judiciary Committee’s October 2020 final report that calls for nothing less than a complete remaking of United States (U.S.) antitrust policy and law; see here for more analysis.)

It seems Senator Sherrod Brown (D-OH) will be the next chair of the Senate Banking, Housing, and Urban Development Committee which has jurisdiction over cybersecurity, data security, privacy, and other issues in the financial services sector, making it a player on any legislation designed to encompass the whole of the United States economy. Having said that, it may again be the case that sponsors of, say, privacy legislation decide to cut the Gordian knot of jurisdictional turf battles by cutting out certain committees. For example, many of the privacy bills had provisions making clear they would deem financial services entities in compliance with the Financial Services Modernization Act of 1999 (P.L. 106-102) (aka Gramm-Leach-Bliley) to be in compliance with the new privacy regime. I suppose these provisions may have been included on the basis of the very high privacy and data security standards Gramm-Leach-Bliley has brought about (e.g. the Experian hack), or sponsors of federal privacy legislation made the strategic calculation to circumvent the Senate Banking Committee as much as they can. Nonetheless, this committee has sought to insert itself into the policymaking process on privacy last year as Brown and outgoing Chair Mike Crapo (R-ID) requested “feedback” in February 2019 “from interested stakeholders on the collection, use and protection of sensitive information by financial regulators and private companies.” Additionally, Brown released what may be the most expansive privacy bill from the perspective of privacy and civil liberties advocates, the “Data Accountability and Transparency Act of 2020” in June 2020 (see here for my analysis.) Therefore, Brown may continue to push for a role in federal privacy legislation with a gavel in his hands.

In a similar vein, Senator Patty Murray (D-WA) will likely take over the Senate Health, Education, Labor, and Pensions (HELP) Committee which has jurisdiction over health information privacy and data security through the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act). Again, as with the Senate Banking Committee and Gramm-Leach-Bliley, most of the privacy bills exempt HIPAA-compliant entities. And yet, even if her committee is cut out of a direct role in privacy legislation, Murray will still likely exert influence through oversight of and possible legislation changing HIPAA regulations and the Department of Health and Human Services (HHS) enforcement and rewriting of these standards for most of the healthcare industry. For example, HHS is rushing a rewrite of the HIPAA regulations at the tail end of the Trump Administration, and Murray could be in a position to inform how the Biden Administration and Secretary of Health and Human Services-designate Xavier Berra handles this rulemaking. Additionally, Murray may push the Office of Civil Rights (OCR), the arm of HHS that writes and enforces these regulations, to prioritize matters differently.

Senator Maria Cantwell (D-WA) appears to be the next chair of the Senate Commerce, Science, and Transportation Committee and arguably the largest technology portfolio in the Senate. It is the primary committee of jurisdiction for the FCC, FTC, National Telecommunications and Information Administration (NTIA), the National Institute of Standards and Technology (NIST), and the Department of Commerce. Cantwell may exert influence on which people are nominated to head and staff those agencies and others. Her committee is also the primary committee of jurisdiction for domestic and international privacy and data protection matters. And so, federal privacy legislation will likely be drafted by this committee, and legislative changes so the U.S. can enter into a new personal data sharing agreement with the European Union (EU) would also likely involve her and her committee.

Cantwell and likely next Ranking Member Roger Wicker (R-MS) agree on many elements of federal privacy law but were at odds last year on federal preemption and whether people could sue companies for privacy violations. Between them, they circulated three privacy bills. In September 2020, Wicker and three Republican colleagues introduced the “Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA) Act” (S.4626) (see here for more analysis). Wicker had put out for comment a discussion draft, the “Consumer Data Privacy Act of 2019” (CDPA) (See here for analysis) in November 2019 shortly after the Ranking Member on the committee, Senator Maria Cantwell (D-WA) and other Democrats had introduced their privacy bill, the “Consumer Online Privacy Rights Act“ (COPRA) (S.2968) (See here for more analysis).

Cantwell could also take a leading role on Section 230, but her focus, of late, seems to be on how technology companies are wreaking havoc to traditional media. released a report that she has mentioned during her opening statement at the 23 September hearing aimed at trying to revive data privacy legislation. She and her staff investigated the decline and financial troubles of local media outlets, which are facing a cumulative loss in advertising revenue of up to 70% since 2000. And since advertising revenue has long been the life blood of print journalism, this has devastated local media with many outlets shutting their doors or radically cutting their staff. This trend has been exacerbated by consolidation in the industry, often in concert with private equity or hedge funds looking to wring the last dollars of value from bargain basement priced newspapers. Cantwell also claimed that the overwhelming online advertising dominance of Google and Facebook has further diminished advertising revenue and other possible sources of funding through a variety of means. She intimates that much of this content may be illegal under U.S. law, and the FTC may well be able to use its Section 5 powers against unfair and deceptive acts and its anti-trust authority to take action. (see here for more analysis and context.) In this vein, Cantwell will want her committee to play in any antitrust policy changes, likely knowing massive changes in U.S. law are not possible in a split Senate with entrenched party positions and discipline.

Senator Jack Reed (D-RI) will take over the Senate Armed Services Committee and its portfolio over national security technology policy that includes the cybersecurity, data protection and supply chain of national security agencies and their contractors, AI, offensive and defensive U.S. cyber operations, and other realms. Much of the changes Reed and his committee will seek to make will be through the annual National Defense Authorization Act (NDAA) (see here and here for the many technology provisions in the FY 2021 NDAA.) Reed may also prod the Department of Defense (DOD) to implement or enforce the Cybersecurity Maturity Model Certification (CMMC) Framework differently than envisioned and designed by the Trump Administration. In December 2020, a new rule took effect designed to drive better cybersecurity among U.S. defense contractors. This rule brings together two different lines of effort to require the Defense Industrial Base (DIB) to employ better cybersecurity given the risks they face by holding and using classified information, Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). The Executive Branch has long wrestled with how to best push contractors to secure their systems, and Congress and the White House have opted for using federal contract requirements in that contractors must certify compliance. However, the most recent initiative, the CMMC Framework will require contractors to be certified by third party assessors. And yet, it is not clear the DOD has wrestled with the often-misaligned incentives present in third party certification schemes.

Reed’s committee will undoubtedly delve deep into the recent SolarWinds hack and implement policy changes to avoid a reoccurrence. Doing so may lead the Senate Armed Services Committee back to reconsidering the Cyberspace Solarium Commission’s (CSC) March 2020 final report and follow up white papers, especially their views embodied in “Building a Trusted ICT Supply Chain.”

Senator Mark Warner (D-VA) will likely take over the Senate Intelligence Committee. Warner has long been a stakeholder on a number of technology issues and would be able to exert influence on the national security components of such issues. He and his committee will almost certainly play a role in the Congressional oversight of and response to the SolarWinds hack. Likewise, his committee shares jurisdiction over FISA with the Senate Judiciary Committee and over national security technology policy with the Armed Services Committee.

Senator Amy Klobuchar (D-MN) would be the Senate Democratic point person on election security from her perch at the Senate Rules and Administration Committee, which may enable her to more forcefully push for the legislative changes she has long advocated for. In May 2019, Klobuchar and other Senate Democrats introduced the “Election Security Act” (S. 1540), the Senate version of the stand-alone measure introduced in the House that was taken from the larger package, the “For the People Act” (H.R. 1) passed by the House.

In August 2018, the Senate Rules and Administration Committee postponed indefinitely a markup on a compromise bill to provide states additional assistance in securing elections from interference, the “The Secure Elections Act” (S.2593). Reportedly, there was concern among state officials that a provision requiring audits of election results would be in effect an unfunded mandate even though this provision was softened at the insistence of Senate Republican leadership. However, a Trump White House spokesperson indicated in a statement that the Administration opposed the bill, which may have posed an additional obstacle to Committee action. However, even if the Senate had passed its bill, it was unlikely that the Republican controlled House would have considered companion legislation (H.R. 6663).

Senator Gary Peters (D-MI) may be the next chair of the Senate Homeland Security and Governmental Affairs Committee, and if so, he will continue to face the rock on which many the bark of cybersecurity legislation has been dashed: Senator Ron Johnson (R-WI). So significant has Johnson’s opposition been to bipartisan cybersecurity legislation from the House, some House Republican stakeholders have said so in media accounts not bothering to hide in anonymity. And so whatever Peters’ ambitions may be to shore up the cybersecurity of the federal government as his committee will play a role in investigating and responding to the Russian hack of SolarWinds and many federal agencies, he will be limited by whatever Johnson and other Republicans will allow to move through the committee and through the Senate. Of course, Peters’ purview would include the Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency (CISA) and its remit to police the cybersecurity practices of the federal government. Peters would also have in his portfolio the information technology (IT) practices of the federal government, some $90 billion annually across all agencies.

Finally, whether it be Leahy or Durbin at the Senate Appropriations Committee, this post allows for immense influence in funding and programmatic changes in all federal programs through the power of the purse Congress holds.

Further Reading, Other Developments, and Coming Events (15 December)

Further Reading

  • DHS, State and NIH join list of federal agencies — now five — hacked in major Russian cyberespionage campaign” By Ellen Nakashima and Craig Timberg — The Washington Post; “Scope of Russian Hack Becomes Clear: Multiple U.S. Agencies Were Hit” By David E. Sanger, Nicole Perlroth and Eric Schmitt — The New York Times; The list of United States (U.S.) government agencies breached by Sluzhba vneshney razvedki Rossiyskoy Federatsii (SVR), the Russian Federation’s Foreign Intelligence Service, has grown. Now the Department of Homeland Security, Defense, and State and the National Institutes of Health are reporting they have been breached. It is unclear if Fortune 500 companies in the U.S. and elsewhere and U.S. nuclear laboratories were also breached in this huge, sophisticated espionage exploit. It appears the Russians were selective and careful, and these hackers may have only accessed information held on U.S. government systems. And yet, the Trump Administration continues to issue equivocal statements neither denying nor acknowledging the hack, leaving the public to depend on quotes from anonymous officials. Perhaps admitting the Russians hacked U.S. government systems would throw light on Russian interference four years ago, and the President is loath to even contemplate that attack. In contrast, President Donald Trump has made all sorts of wild, untrue claims about vote totals being hacked despite no evidence supporting his assertions. It appears that the declaration of mission accomplished by some agencies of the Trump Administration over no Russian hacking of or interference with the 2020 election will be overshadowed by what may prove the most damaging hack of U.S. government systems ever.
  • Revealed: China suspected of spying on Americans via Caribbean phone networks” By Stephanie Kirchgaessner — The Guardian. This story depends on one source, so take it for what it is worth, but allegedly the People’s Republic of China (PRC) is using vulnerabilities in mobile communications networks to hack into the phones of Americans travelling in the Caribbean. If so, the PRC may be exploiting the same Signaling System 7 (SS7) weaknesses an Israeli firm, Circles, is using to sell access to phones, at least according to a report published recently by the University of Toronto’s Citizen Lab.
  • The Cartel Project | Revealed: The Israelis Making Millions Selling Cyberweapons to Latin America” By Amitai Ziv — Haaretz. Speaking of Israeli companies, the NSO Group among others are actively selling offensive cyber and surveillance capabilities to Central American nations often through practices that may be corrupt.
  • U.S. Schools Are Buying Phone-Hacking Tech That the FBI Uses to Investigate Terrorists” By Tom McKay and Dhruv Mehrotra — Gizmodo. Israeli firm Cellebrite and competitors are being used in school systems across the United States (U.S.) to access communications on students’ phones. The U.S. Supreme Court caselaw gives schools very wide discretion for searches, and the Fourth Amendment is largely null and void on school grounds.
  • ‘It’s Hard to Prove’: Why Antitrust Suits Against Facebook Face Hurdles” By Mike Issac and Cecilia Kang — The New York Times. The development of antitrust law over the last few decades may have laid an uphill path for the Federal Trade Commission (FTC) and state attorneys general in securing a breakup of Facebook, something that has not happened on a large scale since the historic splintering of AT&T in the early 1980’s.
  • Exclusive: Israeli Surveillance Companies Are Siphoning Masses Of Location Data From Smartphone Apps” By Thomas Brewster — Forbes. Turns out Israeli firms are using a feature (or what many would call a bug) in the online advertising system that allows those looking to buy ads to get close to real-time location data from application developers looking to sell advertising space. By putting out a shingle as a Demand Side Platform, it is possible to access reaps of location data, and two Israeli companies are doing just that and offering the service of locating and tracking people using this quirk in online advertising. And this is not just companies in Israel. There is a company under scrutiny in the United States (U.S.) that may have used these practices and then provided location data to federal agencies.

Other Developments

  • The Government Accountability Office (GAO) evaluated the United States’ (U.S.) Department of Defense’s electromagnetic spectrum (EMS) operations found that the DOD’s efforts to maintain EMS superiority over the Russian Federation and the People’s Republic of China (PRC). The GAO concluded:
    • Studies have shown that adversaries of the United States, such as China and Russia, are developing capabilities and strategies that could affect DOD superiority in the information environment, including the EMS. DOD has also reported that loss of EMS superiority could result in the department losing control of the battlefield, as its Electromagnetic Spectrum Operations (EMSO) supports many warfighting functions across all domains. DOD recognizes the importance of EMSO to military operations in actual conflicts and in operations short of open conflict that involve the broad information environment. However, gaps we identified in DOD’s ability to develop and implement EMS-related strategies have impeded progress in meeting DOD’s goals. By addressing gaps we found in five areas—(1) the processes and procedures to integrate EMSO throughout the department, (2) governance reforms to correct diffuse organization, (3) responsibility by an official with appropriate authority, (4) a strategy implementation plan, and (5) activities that monitor and assess the department’s progress in implementing the strategy—DOD can capitalize on progress that it has already made and better support ensuring EMS superiority.
    • The GAO recommended:
      • The Secretary of Defense should ensure that the Vice Chairman of the Joint Chiefs of Staff, as Senior Designated Official of the Electromagnetic Spectrum Operations Cross-Functional Team (CFT), identifies the procedures and processes necessary to provide for integrated defense-wide strategy, planning, and budgeting with respect to joint electromagnetic spectrum operations, as required by the FY19 NDAA. (Recommendation 1)
      • The Secretary of Defense should ensure that the Vice Chairman of the Joint Chiefs of Staff as Senior Designated Official of the CFT proposes EMS governance, management, organizational, and operational reforms to the Secretary. (Recommendation 2)
      • The Secretary of Defense should assign clear responsibility to a senior official with authority and resources necessary to compel action for the long-term implementation of the 2020 strategy in time to oversee the execution of the 2020 strategy implementation plan. (Recommendation 3)
      • The Secretary of Defense should ensure that the designated senior official for long-term strategy implementation issues an actionable implementation plan within 180 days following issuance of the 2020 strategy. (Recommendation 4)
      • The Secretary of Defense should ensure that the designated senior official for long-term strategy implementation creates oversight processes that would facilitate the department’s implementation of the 2020 strategy. (Recommendation 5)
  • A forerunner to Apple’s App Store has sued the company, claiming it has monopolized applications on its operating system to the detriment of other parties and done the same with respect to its payment system. The company behind Cydia is arguing that it conceived of and created the first application store for the iPhone, offering a range of programs Apple did not. Cydia is claiming that once Apple understood how lucrative an app store would be, it blocked Cydia and established its own store, the exclusive means through which programs can be installed and used on the iOS. Furthermore, this has enabled Apple to levy 30% of all in-application purchases made, which is allegedly a $50 billion market annually. This is the second high-profile suit this year against Apple. Epic Games, the maker of the popular game, Fortnite, sued Apple earlier this year on many of the same grounds because the company started allowing users to buy directly from it for a 30% discount. Apple responded by removing the game from the App Store, which has blocked players from downloading updated versions. That litigation has just begun. In its complaint, Cydia asserts:
    • Historically, distribution of apps for a specific operating system (“OS”) occurred in a separate and robustly competitive market. Apple, however, began coercing users to utilize no other iOS app distribution service but the App Store, coupling it closer and closer to the iPhone itself in order to crowd out all competition. But Apple did not come up with this idea initially—it only saw the economic promise that iOS app distribution represented after others, like [Cydia], demonstrated that value with their own iOS app distribution products/services. Faced with this realization, Apple then decided to take that separate market (as well as the additional iOS app payment processing market described herein) for itself.
    • Cydia became hugely popular by offering a marketplace to find and obtain third party iOS applications that greatly expanded the capabilities of the stock iPhone, including games, productivity applications, and audio/visual applications such as a video recorder (whereas the original iPhone only allowed still cameraphotos). Apple subsequently took many of these early third party applications’ innovations, incorporating them into the iPhone directly or through apps.
    • But far worse than simply copying others’ innovations, Apple also recognized that it could reap enormous profits if it cornered this fledgling market for iOS app distribution, because that would give Apple complete power over iOS apps, regardless of the developer. Apple therefore initiated a campaign to eliminate competition for iOS app distribution altogether. That campaign has been successful and continues to this day. Apple did (and continues to do) so by, inter alia, tying the App Store app to iPhone purchases by preinstalling it on all iOS devices and then requiring it as the default method to obtain iOS apps, regardless of user preference for other alternatives; technologically locking down the iPhone to prevent App Store competitors like Cydia from even operating on the device; and imposing contractual terms on users that coerce and prevent them from using App Store competitors. Apple has also mandated that iOS app developers use it as their sole option for app payment processing (such as in-app purchases), thus preventing other competitors, such as Cydia, from offering the same service to those developers.
    • Through these and other anticompetitive acts, Apple has wrongfully acquired and maintained monopoly power in the market (or aftermarket) for iOS app distribution, and in the market (or aftermarket) for iOS app payment processing. Apple has frozen Cydia and all other competitors out of both markets, depriving them of the ability to compete with the App Store and to offer developers and consumers better prices, better service, and more choice. This anticompetitive conduct has unsurprisingly generated massive profits and unprecedented market capitalization for Apple, as well as incredible market power.
  • California is asking to join antitrust suit against Google filed by the United States Department of Justice (DOJ) and eleven state attorneys general. This antitrust action centers on Google’s practices of making Google the default search engine on Android devices and paying browsers and other technology entities to make Google the default search engine. However, a number of states that had initially joined the joint state investigation of Google have opted not to join this action and will instead be continuing to investigate, signaling a much broader case than the one filed in the United States District Court for the District of Columbia. In any event, if the suit does proceed, and a change in Administration could result in a swift change in course, it may take years to be resolved. Of course, given the legion leaks from the DOJ and state attorneys general offices about the pressure U.S. Attorney General William Barr placed on staff and attorneys to bring a case before the election, there is criticism that rushing the case may result in a weaker, less comprehensive action that Google may ultimately fend off.
    • And, there is likely to be another lawsuit against Google filed by other state attorneys general. A number of attorneys general who had orginally joined the effort led by Texas Attorney General Ken Paxton in investigating Google released a statement at the time the DOJ suit was filed, indicating their investigation would continue, presaging a different, possibly broader lawsuit that might also address Google’s role in other markets. The attorneys general of New York, Colorado, Iowa, Nebraska, North Carolina, Tennessee, and Utah did not join the case that was filed but may soon file a related but parallel case. They stated:
      • Over the last year, both the U.S. DOJ and state attorneys general have conducted separate but parallel investigations into Google’s anticompetitive market behavior. We appreciate the strong bipartisan cooperation among the states and the good working relationship with the DOJ on these serious issues. This is a historic time for both federal and state antitrust authorities, as we work to protect competition and innovation in our technology markets. We plan to conclude parts of our investigation of Google in the coming weeks. If we decide to file a complaint, we would file a motion to consolidate our case with the DOJ’s. We would then litigate the consolidated case cooperatively, much as we did in the Microsoft case.
  • France’s Commission nationale de l’informatique et des libertés (CNIL) handed down multi-million Euro fines on Google and Amazon for putting cookies on users’ devices. CNIL fined Google a total of €100 million and Amazon €35 million because its investigation of both entities determined “when a user visited [their] website, cookies were automatically placed on his or her computer, without any action required on his or her part…[and] [s]everal of these cookies were used for advertising purposes.”
    • CNIL explained the decision against Google:
      • [CNIL] noticed three breaches of Article 82 of the French Data Protection Act:
      • Deposit of cookies without obtaining the prior consent of the user
        • When a user visited the website google.fr, several cookies used for advertising purposes were automatically placed on his or her computer, without any action required on his or her part.
        • Since this type of cookies can only be placed after the user has expressed his or her consent, the restricted committee considered that the companies had not complied with the requirement provided for in Article 82 of the French Data Protection Act regarding the collection of prior consent before placing cookies that are not essential to the service.
      • Lack of information provided to the users of the search engine google.fr
        • When a user visited the page google.fr, an information banner displayed at the bottom of the page, with the following note “Privacy reminder from Google”, in front of which were two buttons: “Remind me later” and “Access now”.
        • This banner did not provide the user with any information regarding cookies that had however already been placed on his or her computer when arriving on the site. The information was also not provided when he or she clicked on the button “Access now”.
        • Therefore, the restricted committee considered that the information provided by the companies did not enable the users living in France either to be previously and clearly informed regarding the deposit of cookies on their computer or, therefore, to be informed of the purposes of these cookies and the available means enabling to refuse them.
      • Partial failure of the « opposition » mechanism
        • When a user deactivated the ad personalization on the Google search by using the available mechanism from the button “Access now”, one of the advertising cookies was still stored on his or her computer and kept reading information aimed at the server to which it is attached.
        • Therefore, the restricted committee considered that the “opposition” mechanism set up by the companies was partially defective, breaching Article 82 of the French Data Protection Act.
    • CNIL explained the case against Amazon:
      • [CNIL] noticed two breaches of Article 82 of the French Data Protection Act:
      • Deposit of cookies without obtaining the prior consent of the user
        • The restricted committee noted that when a user visited one of the pages of the website amazon.fr, a large number of cookies used for advertising purposes was automatically placed on his or her computer, before any action required on his or her part. Yet, the restricted committee recalled that this type of cookies, which are not essential to the service, can only be placed after the user has expressed his or her consent. It considered that the deposit of cookies at the same time as arriving on the site was a practice which, by its nature, was incompatible with a prior consent.
      • Lack of information provided to the users of the website amazon.fr
        • First, the restricted committee noted that, in the case of a user visiting the website amazon.fr, the information provided was neither clear, nor complete.
        • It considered that the information banner displayed by the company, which was “By using this website, you accept our use of cookies allowing to offer and improve our services. Read More.”, only contained a general and approximate information regarding the purposes of all the cookies placed. In particular, it considered that, by reading the banner, the user could not understand that cookies placed on his or her computer were mainly used to display personalized ads. It also noted that the banner did not explain to the user that it could refuse these cookies and how to do it.
        • Then, the restricted committee noticed that the company’s failure to comply with its obligation was even more obvious regarding the case of users that visited the website amazon.fr after they had clicked on an advertisement published on another website. It underlined that in this case, the same cookies were placed but no information was provided to the users about that.
  • Senator Amy Klobuchar (D-MN) wrote the Secretary of Health and Human Services (HHS), to express “serious concerns regarding recent reports on the data collection practices of Amazon’s health-tracking bracelet (Halo) and to request information on the actions [HHS] is taking to ensure users’ health data is secure.” Klobuchar stated:
    • The Halo is a fitness tracker that users wear on their wrists. The tracker’s smartphone application (app) provides users with a wide-ranging analysis of their health by tracking a range of biological metrics including heartbeat patterns, exercise habits, sleep patterns, and skin temperature. The fitness tracker also enters into uncharted territory by collecting body photos and voice recordings and transmitting this data for analysis. To calculate the user’s body fat percentage, the Halo requires users to take scans of their body using a smartphone app. These photos are then temporarily sent to Amazon’s servers for analysis while the app returns a three-dimensional image of the user’s body, allowing the user to adjust the image to see what they would look like with different percentages of body fat. The Halo also offers a tone analysis feature that examines the nuances of a user’s voice to indicate how the user sounds to others. To accomplish this task, the device has built-in microphones that listen and records a user’s voice by taking periodic samples of speech throughout the day if users opt-in to the feature.
    • Recent reports have raised concerns about the Halo’s access to this extensive personal and private health information. Among publicly available consumer health devices, the Halo appears to collect an unprecedented level of personal information. This raises questions about the extent to which the tracker’s transmission of biological data may reveal private information regarding the user’s health conditions and how this information can be used. Last year, a study by BMJ (formerly the British Medical Journal) found that 79 percent of health apps studied by researchers were found to share user data in a manner that failed to provide transparency about the data being shared. The study concluded that health app developers routinely share consumer data with third-parties and that little transparency exists around such data sharing.
    • Klobuchar asked the Secretary of Health and Human Services Alex Azar II to “respond to the following questions:
      • What actions is HHS taking to ensure that fitness trackers like Halo safeguard users’ private health information?
      • What authority does HHS have to ensure the security and privacy of consumer data collected and analyzed by health tracking devices like Amazon’s Halo?
      • Are additional regulations required to help strengthen privacy and security protections for consumers’ personal health data given the rise of health tracking devices? Why or why not?
      • Please describe in detail what additional authority or resources that the HHS could use to help ensure the security and protection of consumer health data obtained through health tracking devices like the Halo.

Coming Events

  • On 15 December, the Senate Judiciary Committee’s Intellectual Property Subcommittee will hold a hearing titled “The Role of Private Agreements and Existing Technology in Curbing Online Piracy” with these witnesses:
    • Panel I
      • Ms. Ruth Vitale, Chief Executive Officer, CreativeFuture
      • Mr. Probir Mehta, Head of Global Intellectual Property and Trade Policy, Facebook, Inc.
      • Mr. Mitch Glazier, Chairman and CEO, Recording Industry Association of America
      • Mr. Joshua Lamel, Executive Director, Re:Create
    • Panel II
      • Ms. Katherine Oyama, Global Director of Business Public Policy, YouTube
      • Mr. Keith Kupferschmid, Chief Executive Officer, Copyright Alliance
      • Mr. Noah Becker, President and Co-Founder, AdRev
      • Mr. Dean S. Marks, Executive Director and Legal Counsel, Coalition for Online Accountability
  • The Senate Armed Services Committee’s Cybersecurity Subcommittee will hold a closed briefing on Department of Defense Cyber Operations on 15 December with these witnesses:
    • Mr. Thomas C. Wingfield, Deputy Assistant Secretary of Defense for Cyber Policy, Office of the Under Secretary of Defense for Policy
    • Mr. Jeffrey R. Jones, Vice Director, Command, Control, Communications and Computers/Cyber, Joint Staff, J-6
    • Ms. Katherine E. Arrington, Chief Information Security Officer for the Assistant Secretary of Defense for Acquisition, Office of the Under Secretary of Defense for Acquisition and Sustainment
    • Rear Admiral Jeffrey Czerewko, United States Navy, Deputy Director, Global Operations, J39, J3, Joint Staff
  • The Senate Banking, Housing, and Urban Affairs Committee’s Economic Policy Subcommittee will conduct a hearing titled “US-China: Winning the Economic Competition, Part II” on 16 December with these witnesses:
    • The Honorable Will Hurd, Member, United States House of Representatives;
    • Derek Scissors, Resident Scholar, American Enterprise Institute;
    • Melanie M. Hart, Ph.D., Senior Fellow and Director for China Policy, Center for American Progress; and
    • Roy Houseman, Legislative Director, United Steelworkers (USW).
  • On 17 December the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency’s (CISA) Information and Communications Technology (ICT) Supply Chain Risk Management (SCRM) Task Force will convene for a virtual event, “Partnership in Action: Driving Supply Chain Security.”

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Naya Shaw from Pexels

Further Reading, Other Developments, and Coming Events (8 October)

Coming Events

  • The European Union Agency for Cybersecurity (ENISA), Europol’s European Cybercrime Centre (EC3) and the Computer Emergency Response Team for the EU Institutions, Bodies and Agencies (CERT-EU) will hold the 4th annual IoT Security Conference series “to raise awareness on the security challenges facing the Internet of Things (IoT) ecosystem across the European Union:”
    • Artificial Intelligence – 14 October at 15:00 to 16:30 CET
    • Supply Chain for IoT – 21 October at 15:00 to 16:30 CET
  • The Federal Communications Commission (FCC) will hold an open commission meeting on 27 October, and the agency has released a tentative agenda:
    • Restoring Internet Freedom Order Remand – The Commission will consider an Order on Remand that would respond to the remand from the U.S. Court of Appeals for the D.C. Circuit and conclude that the Restoring Internet Freedom Order promotes public safety, facilitates broadband infrastructure deployment, and allows the Commission to continue to provide Lifeline support for broadband Internet access service. (WC Docket Nos. 17-108, 17-287, 11- 42)
    • Establishing a 5G Fund for Rural America – The Commission will consider a Report and Order that would establish the 5G Fund for Rural America to ensure that all Americans have access to the next generation of wireless connectivity. (GN Docket No. 20-32)
    • Increasing Unlicensed Wireless Opportunities in TV White Spaces – The Commission will consider a Report and Order that would increase opportunities for unlicensed white space devices to operate on broadcast television channels 2-35 and expand wireless broadband connectivity in rural and underserved areas. (ET Docket No. 20-36)
    • Streamlining State and Local Approval of Certain Wireless Structure Modifications –
    • The Commission will consider a Report and Order that would further accelerate the deployment of 5G by providing that modifications to existing towers involving limited ground excavation or deployment would be subject to streamlined state and local review pursuant to section 6409(a) of the Spectrum Act of 2012. (WT Docket No. 19-250; RM-11849)
    • Revitalizing AM Radio Service with All-Digital Broadcast Option – The Commission will consider a Report and Order that would authorize AM stations to transition to an all-digital signal on a voluntary basis and would also adopt technical specifications for such stations. (MB Docket Nos. 13-249, 19-311)
    • Expanding Audio Description of Video Content to More TV Markets – The Commission will consider a Report and Order that would expand audio description requirements to 40 additional television markets over the next four years in order to increase the amount of video programming that is accessible to blind and visually impaired Americans. (MB Docket No. 11-43)
    • Modernizing Unbundling and Resale Requirements – The Commission will consider a Report and Order to modernize the Commission’s unbundling and resale regulations, eliminating requirements where they stifle broadband deployment and the transition to next- generation networks, but preserving them where they are still necessary to promote robust intermodal competition. (WC Docket No. 19-308)
    • Enforcement Bureau Action – The Commission will consider an enforcement action.
  • On October 29, the Federal Trade Commission (FTC) will hold a seminar titled “Green Lights & Red Flags: FTC Rules of the Road for Business workshop” that “will bring together Ohio business owners and marketing executives with national and state legal experts to provide practical insights to business and legal professionals about how established consumer protection principles apply in today’s fast-paced marketplace.”

Other Developments

  • Harvard University’s Berkman Klein Center for Internet & Society published a study, “Mail-In Voter Fraud: Anatomy of a Disinformation Campaign,” which found a concerted, almost certainly coordinated campaign led by President Donald Trump, the Republican Party, and conservative media outlets to claim against all evidence that mail voting is rife with fraud. The study points to structural issues in the United States (U.S.) and the broader media that allow parties to disseminate disinformation and propaganda. The authors found the traditional print and television media more effective and complicit in spreading lies and disinformation than social media platforms like Facebook and Twitter. The Berkman Klein Center explained:
    • The claim that election fraud is a major concern with mail-in ballots has become the central threat to election participation during the Covid-19 pandemic and to the legitimacy of the outcome of the election across the political spectrum. President Trump has repeatedly cited his concerns over voter fraud associated with mail-in ballots as a reason that he may not abide by an adverse electoral outcome. Polling conducted in September 2020 suggests that nearly half of Republicans agree with the president that election fraud is a major concern associated with expanded mail-in voting during the pandemic. Few Democrats share that belief. Despite the consensus among independent academic and journalistic investigations that voter fraud is rare and extremely unlikely to determine a national election, tens of millions of Americans believe the opposite. This is a study of the disinformation campaign that led to widespread acceptance of this apparently false belief and to its partisan distribution pattern. Contrary to the focus of most contemporary work on disinformation, our findings suggest that this highly effective disinformation campaign, with potentially profound effects for both participation in and the legitimacy of the 2020 election, was an elite-driven, mass-media led process. Social media played only a secondary and supportive role.
    • Our results are based on analyzing over fifty-five thousand online media stories, five million tweets, and seventy-five thousand posts on public Facebook pages garnering millions of engagements. They are consistent with our findings about the American political media ecosystem from 2015-2018, published in  Network Propaganda , in which we found that Fox News and Donald Trump’s own campaign were far more influential in spreading false beliefs than Russian trolls or Facebook clickbait artists. This dynamic appears to be even more pronounced in this election cycle, likely because Donald Trump’s position as president and his leadership of the Republican Party allow him to operate directly through political and media elites, rather than relying on online media as he did when he sought to advance his then-still-insurgent positions in 2015 and the first half of 2016.
    • Our findings here suggest that Donald Trump has perfected the art of harnessing mass media to disseminate and at times reinforce his disinformation campaign by using three core standard practices of professional journalism. These three are: elite institutional focus (if the President says it, it’s news); headline seeking (if it bleeds, it leads); and  balance , neutrality, or the avoidance of the appearance of taking a side. He uses the first two in combination to summon coverage at will, and has used them continuously to set the agenda surrounding mail-in voting through a combination of tweets, press conferences, and television interviews on Fox News. He relies on the latter professional practice to keep audiences that are not politically pre-committed and have relatively low political knowledge confused, because it limits the degree to which professional journalists in mass media organizations are willing or able to directly call the voter fraud frame disinformation. The president is, however, not acting alone. Throughout the first six months of the disinformation campaign, the Republican National Committee (RNC) and staff from the Trump campaign appear repeatedly and consistently on message at the same moments, suggesting an institutionalized rather than individual disinformation campaign. The efforts of the president and the Republican Party are supported by the right-wing media ecosystem, primarily Fox News and talk radio functioning in effect as a party press. These reinforce the message, provide the president a platform, and marginalize or attack those Republican leaders or any conservative media personalities who insist that there is no evidence of widespread voter fraud associated with mail-in voting.
    • The primary cure for the elite-driven, mass media communicated information disorder we observe here is unlikely to be more fact checking on Facebook. Instead, it is likely to require more aggressive policing by traditional professional media, the Associated Press, the television networks, and local TV news editors of whether and how they cover Trump’s propaganda efforts, and how they educate their audiences about the disinformation campaign the president and the Republican Party have waged.
  • The Senate Minority Leader and the top Democrats on three committees sent a letter to the acting Secretary of Homeland Security asking him to “release a document that shows President Donald Trump’s attacks on American Elections are consistent with a foreign influence campaign.” Senate Minority Leader Chuck Schumer (D-NY), Senate Intelligence Committee Ranking Member Mark Warner (D-VA), Senate Rules Committee Ranking Member Amy Klobuchar (D-MN), Senate Homeland Security and Governmental Affairs Committee Ranking Member Gary Peters (D-MI), and Senator Ron Wyden (D-OR) wrote to acting Secretary of Homeland Security Chad Wolf:
    • We write to urge you to immediately release to the public a September 3, 2020, analysis produced by the Department’s Office of Intelligence and Analysis.  This document demonstrates that a foreign actor is attempting to undermine faith in the US electoral system, particularly vote-by-mail systems, in a manner that is consistent with the rhetoric being used by President Trump, Attorney General Barr, and others.
    • The document has been marked ‘Unclassified/For Official Use Only,’ meaning that its release would not pose a risk to sources and methods and that it has already been widely distributed around the country through unclassified channels. It is now critical and urgent that the American people have access to this document so that they can understand the context of Trump’s statements and actions.
  • Representatives Abigail Spanberger (D-VA) and John Katko (R-NY) introduced the “Foreign Agent Disclaimer Enhancement (FADE) Act” “to protect against the influence of foreign nations that seek to weaken the U.S. electoral system and sow division through online disinformation campaigns.” This bill would close a loophole in the Foreign Agents Registration Act (FARA) that does not require foreign agents to disclose social media posts intended to persuade Americans as they must for other forms of communication. They provided the context for the legislation:
    • This week, the Federal Bureau of Investigation alerted Twitter that accounts likely based in Iran attempted to spread disinformation during the U.S. presidential debate.
    • An April 2020 State Department report warned that China, Iran, and Russia are using the COVID-19 crisis to launch a propaganda and disinformation onslaught against the United States.
    • Spanberger and Katko summarized the bill in their press release:
      • The Foreign Agent Disclaimer Enhancement (FADE) Act would increase transparency by requiring disclaimers attributing political content to a foreign principal be embedded on the face of a social media post itself. With this new requirement, disclaimers would remain with a post whenever the post is subsequently shared. The FADE Act would also clarify that these disclaimer requirements apply to the internet and apply to any political communications directed at the United States — regardless of the foreign agent’s location around the world.
      • To ensure enforcement of these new transparency measures, the FADE Act would requirethe Department of Justice (DOJ) to notify online platforms if a foreign agent does not meet disclaimer requirements for posts on their platforms, and in these cases, require the platform to remove the materials and use reasonable efforts to inform recipients of the materials that the information they saw was disseminated by a foreign agent. Additionally, the bipartisan bill would requireDOJ to prepare a report to Congress on enforcement challenges.
  • Europol issued its annual “Internet Organised Crime Threat Assessment (IOCTA) 2020” that “provides a unique law enforcement- focused assessment of emerging challenges and key developments in the area of cybercrime” in the European Union (EU).
  • Europol highlighted its findings:
    • Cross-Cutting Crime Facilitators And Challenges To Criminal Investigations
      • Social engineering remains a top threat to facilitate other types of cybercrime.
      • Cryptocurrencies continue to facilitate payments for various forms of cybercrime, as developments evolve with respect to privacy- oriented crypto coins and services.
      • Challenges with reporting hinder the ability to create an accurate overview of crime prevalence across the EU.
    • Cyber-Dependent Crime
      • Ransomware remains the most dominant threat as criminals increase pressure by threatening publication of data if victims do not pay.
      • Ransomware on third-party providers also creates potential significant damage for other organisations in the supply chain and critical infrastructure.
      • Emotet is omnipresent given its versatile use and leads the way as the benchmark of modern malware.
      • The threat potential of Distributed Denial of Service (DDoS) attacks is higher than its current impact in the EU.
    • Child Sexual Exploitation Online
      • The amount of online Child sexual abuse material (CSAM) detected continues to increase, further exacerbated by the COVID-19 crisis, which has serious consequences for the capacity of law enforcement authorities.
      • The use of encrypted chat apps and industry proposals to expand this market pose a substantial risk for abuse and make it more difficult for law enforcement to detect and investigate online Child sexual exploitation (CSE) activities.
      • Online offender communities exhibit considerable resilience and are continuously evolving.
      • Livestreaming of child sexual abuse continues to increase and became even more prevalent during the COVID-19 crisis.
      • The commercialisation of online CSE is becoming a more widespread issue, with individuals uploading material to hosting sites and subsequently acquiring credit on the basis of the number of downloads.
    • Payment Fraud
      • SIM swapping is a key trend that allows perpetrators to take over accounts and has demonstrated a steep rise over the last year.
      • Business email compromise (BEC) remains an area of concern as it has increased, grown in sophistication, and become more targeted.
      • Online investment fraud is one of the fastest growing crimes, generating millions in losses and affecting thousands of victims.
      • Card-not-present (CNP) fraud continues to increase as criminals diversify in terms of target sectors and electronic skimming (e-skimming) modi operandi.
    • The Criminal Abuse Of The Darkweb
      • The Darkweb environment has remained volatile, lifecycles of Darkweb market places have shortened, and no clear dominant market has risen over the past year compared to previous years to fill the vacuum left by the takedowns in 2019.
      • The nature of the Darkweb community at administrator-level shows how adaptive it is under challenging times, including more effective cooperation in the search for better security solutions and safe Darkweb interaction.
      • There has been an increase in the use of privacy- enhanced cryptocurrencies and an emergence of privacy-enhanced coinjoin concepts, such as Wasabi and Samurai.
      • Surface web e-commerce sites and encrypted communication platforms offer an additional dimension to Darkweb trading to enhance the overall business model.
  • “43 center-right organizations, think tanks, and policy experts” wrote Senate Majority Whip John Thune (R-SD) “for his leadership and support for the American competitive approach to 5G deployment.” Last week, Thune and 18 Republican colleagues sent President Donald Trump a letter “to express our concerns about a Request For Information (RFI) released by the Department of Defense (DOD) that contradicts the successful free-market strategy you have embraced for 5G.” Late last month, the United States Department of Defense (DOD) released a  RFI on the possibility of the agency sharing its prized portions of electromagnetic spectrum with commercial providers to speed the development and adoption of 5G in the United States.
    • The 43 groups argued:
      • We too are concerned with the Department of Defense Request for Information on a government-managed process for 5G development and are alarmed with how quickly it is proceeding.  Even more disturbing are the rumors that the RFI was only for show and that the DoD already has an RFP it plans to greenlight. 
      • A government-run 5G backbone, wholesale network, or whatever name it goes by, is nationalization of private business. Spectrum sharing is something that must be considered as the nation moves forward with private networks, but it is not a reason for a government takeover. For a government-run network to happen, the federal government would have to either renege on licenses granted to private users or hoard spectrum at the expense of private industry. Either approach would upend well-established licensure policies at the FCC that establish certainty in operating and maintaining complex networks and create massive unnecessary delays to launching 5G networks. Moreover, the government should not be in the business of “competing” with private industry. That’s the business model of China and Russia, not the United States. 
  • The top Democrat on the Senate Intelligence Committee wrote Facebook, Twitter, and Google, urging the companies “to implement robust accountability and transparency standards ahead of the November election, including requirements outlined in the Honest Ads Act…to help prevent foreign interference in elections and improve the transparency of online political advertisements” according to his press release. Senator Mark Warner   (D-VA) asserted that “[i]n individual letters to FacebookGoogle, and Twitter, [he] detailed the various ways in which each company continues to contribute to the spread of disinformation, viral misinformation, and voter suppression efforts.” Warner “also warned about the imminent risk of bad actors once again weaponizing American-bred social media tools to undermine democracy ahead of the November election, and urged each company to take proactive measures to safeguard against these efforts.” Warner specified:
    • In his letter to Facebook, [he] criticized the platform’s efforts to label manipulated or synthetic content, describing these as “wholly inadequate.” He also raised alarm with instances of Facebook’s amplification of harmful content.
    • Similarly, in a letter to Google, [he] raised concern with the company’s efforts to combat harmful misinformation – particularly disinformation about voting, spread by right-leaning YouTube channels. He also criticized the comprehensiveness of Google’s ad archive, which presently excludes issue ads.
    • In his letter to Twitter, which has banned paid political content and placed restrictions on cause-based advertising, [he] noted that doctored political content continues to spread organically without adequate labeling that slows its spread or contextualizes it for users.
  • Representative Lauren Underwood (D-IL), the new Chair of the House Homeland Security Committee’s Cybersecurity, Infrastructure Protection, and Innovation Subcommittee, wrote Facebook, Twitter, and YouTube, urging them “to address ongoing reports of election-related disinformation targeting Black voters on their platforms” per her press release. She argued “[d]uring the 2016 election, social media platforms were used by malicious actors attempting to silence Black voters and sow racial division…[and] [f]our years later, social media companies have made too little progress toward containing this growing threat.” Underwood “requested information on the steps the companies are taking to prevent voter suppression, interference, and disinformation targeting Black voters.”

Further Reading

  • Judge Orders Twitter To Unmask FBI Impersonator Who Set Off Seth Rich Conspiracy” By Bobby Allyn — NPR. A magistrate judge in California denied Twitter’s motion to quash a subpoena in order to not reveal the account information of an anonymous user who spread lies about deceased Democratic National Committee staffer Seth Rich and his family regarding the Russian Federation’s interference in the 2016 election.
  • Justices wary of upending tech industry in Google v. Oracle Supreme Court fight” By Tucker Higgins — CNBC. This week, the Supreme Court of the United States heard oral arguments in the decade long legal war between Google and Oracle arising from the latter’s claim that the former infringed its ownership rights by using roughly 11,500 lines of code to create its Android operating system from an application programming interface developed by Sun Microsystems, a company bought by Oracle. This case could have huge ramifications for the technology industry if Oracle wins because it could make the development of new products and services much harder.
  • Facebook to temporarily halt political ads in U.S. after polls close Nov. 3, broadening earlier restrictions” By Elizabeth Dwoskin — The Washington Post. In its newest announcement, Facebook announced it will not accept political or issues advertising in the week after election day. This effort is the latest measure the platform has announced to address misinformation and disinformation. Facebook will also label efforts of candidates to claim an election has been decided if it, in fact, has not been. The platform will also remove posts that aim to intimidate voters or suppress the voting turnout.
  • Leaked: Confidential Amazon memo reveals new software to track unions” By Jason Del Rey and Shirin Ghaffary — recode. The tech giant is turning its data collection and analysis capabilities on its workforce in an effort to prevent unionizing at the United States’ (U.S.) second largest employer.
  • QAnon High Priest Was Just Trolling Away as a Citigroup Tech Executive” By William Turton and Joshua Brustein — Bloomberg. The fascinating if not horrifying story of how a seemingly, well-to-do mild-mannered tech specialist became one of the key figures in the QAnon conspiracy.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by John Mounsey from Pixabay

Senate Commerce Hearing On Privacy

Senate stakeholders appear no closer to resolving the two key impasses in privacy legislation: preemption and a private right of action.

A week after the introduction of the “Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA) Act” (S.4626) was introduced, the Senate Commerce, Science, and Transportation Committee held a hearing titled “Revisiting the Need for Federal Data Privacy Legislation with four former Federal Trade Commission (FTC) Commissioners and California’s Attorney General. Generally speaking, Members used the hearing to elicit testimony on the aspects of a privacy bill they would like to see with the chair and ranking member asking the witnesses about the need for preemption and the benefits of one national privacy standard and the need for people to be able to sue as a means of supplementing limited capacity of the FTC and state attorneys general to police violations of a new law respectively.

The SAFE DATA Act (see here for more analysis) was introduced last week by Committee Chair Roger Wicker (R-MS), Senate Majority Whip and  Communications, Technology, Innovation, and the Internet Subcommittee Chair John Thune (R-SD), Transportation and Safety Subcommittee Chair Deb Fischer (R-NE), and Safety, and Senator Marsha Blackburn (R-TN). Wicker had put out for comment a discussion draft, the “Consumer Data Privacy Act of 2019” (CDPA) (See here for analysis) in November 2019 shortly after the Ranking Member on the committee, Senator Maria Cantwell (D-WA) and other Democrats had introduced their privacy bill, the “Consumer Online Privacy Rights Act“ (COPRA) (S.2968) (See here for more analysis).

Chair Roger Wicker (R-MS) stated “[d]uring this Congress, protecting consumer data privacy has been a primary focus of this Committee…[and] [w]e held one of the first hearings of my chairmanship to examine how Congress should address this issue.” He said “[a]t that time, we heard that individuals needed rigorous privacy protections to ensure that businesses do not misuse their data…[and] [w]e heard that individuals need to be able to access, control, and delete the data that companies have collected on them.” Wicker stated “[w]e heard that businesses need a consistent set of rules applied reasonably and fairly to allow for continued innovation and growth in the digital economy…[a]nd we heard that the FTC needs enhanced authority and resources in order to oversee and enforce privacy protections.”

Wicker stated “[i]n the nearly two years since, members of this Committee have done a great deal of work developing legislation to address data privacy.” He said “[w]hile we worked, the world of data privacy did not stand still…[and] [t]he state of California implemented its California Consumer Privacy Act (CCPA) and began enforcement this past summer.” Wicker contended “[l]ong-held concerns remain that the CCPA is difficult to understand and comply with and could become worse if the law is further expanded and amended through an upcoming ballot measure this fall.” He claimed “[t]he European Union has continued to enforce the General Data Protection Regulation (GDPR)…[and] [t]he EU’s main focus appears to be going after the biggest American companies rather than providing clear guidance for all businesses with European citizens as customers.”

Wicker noted

The picture in Europe is even more complex following the recent court ruling invalidating the EU-U.S. Privacy Shield framework, which governed how U.S. companies treated the data of EU citizens. Though the issues in that case were more related to national security than consumer privacy, the result was yet more uncertainty about the future of trans-Atlantic data flows. I look forward to holding a hearing before the end of the year on the now-invalidated Privacy Shield.

Wicker asserted “[t]he biggest new development that has impacted data privacy – as it has impacted so many facets of our life – is the COVID-19 pandemic, which has resulted in millions of Americans working from home.” He said “[t]he increased use of video conferencing, food delivery apps, and other online services increases the potential for privacy violations…[and] [t]he need to collect a great deal of data for contact tracing and to track the spread of the disease likewise raises privacy concerns if done improperly.”

Wicker declared that “[f]or all of these reasons and more, the need for a uniform, national privacy law is greater than ever…[and] [l]ast week I introduced the SAFE DATA Act.” He argued

The SAFE DATA Act would provide Americans with more choice and control over their data. It would require businesses to be more transparent and hold them to account for their data practices. It would strengthen the FTC’s ability to be an effective enforcer of new data privacy rules. And it would establish a nationwide standard so that businesses know how to comply no matter where their customers live, and so that consumers know their data is safe wherever the company that holds their data is located.

Wicker stated that “[t]he SAFE DATA Act is the result of nearly two years of discussions with advocacy groups, state and local governments, nonprofits, academics, and businesses of every size and from every sector of the economy – my thanks to all of those.” He claimed “[t]he diversity of voices was essential in crafting a law that would work consistently and fairly for all Americans.” Wicker contended “we have a chance to pass a strong national privacy law that achieves the goals of privacy advocates with real consensus among members of both parties and a broad array of industry members.”

Ranking Member Maria Cantwell (D-WA) stated “[p]rotecting Americans’ privacy rights is critical, and that has become even sharper in the focus of the COVID-19 crisis, where so much of our lives have moved online.” She noted “[t]he American people deserve strong privacy protections for their personal data, and Congress must work to act in establishing these protections.” Cantwell said “[l]ast year, along with Senators [Brian] Schatz (D-HI), [Amy] Klobuchar (D-MN), and [Ed] Markey (D-MA), I introduced the “Consumer Online Privacy Rights Act“ (COPRA) (S.2968).” She claimed “[t]he bill is pretty straightforward…[and] provides foundational privacy rights to consumers, creates rules to prevent abuse of consumer data, and holds companies accountable with real enforcement measures.” Cantwell said “[u]nfortunately, other legislation throughout the legislative process, I think has taken different approaches…[and] [t]hese bills allow companies to maintain the status quo, burying important disclosure information in long contracts, hiding where consumer data is sold, and changing the use of consumer data without their consent.” She conclude that “obviously, I believe these loopholes are unacceptable.”

Cantwell argued

Most strikingly, these bills would actually weaken consumer rights around the country by preempting stronger state laws. Attorney General Becerra is with us today and I appreciate him being able to join us, because this would have an impact on a broad preemption, I should say, would have an impact on 40 million Californians who are protected by your privacy law and the privacy protections in your state. So we need to resolve this issue. But we can’t do so at the expense of states who have already taken action to protect the privacy of their citizens.

Cantwell stated that “[f]inally, we also know that individuals must have the right to their day in court, when privacy is violated, even with the resources and expertise and enforcers like the FTC–many of you, I know, know these rules well, and Attorneys General–we will never be able to fully police the thousands and thousands of companies collecting consumer data if you are the only cop on the beat.” She said “I’d like to go further, but there are many issues that we’re going to address here. I want to say that the legislation also needs to cover the complex issues of, you know, health and safety standards and important issues.” Cantwell stated “[t]he Supreme Court discussion that we’re now having, I think will launch us into a very broad discussion of privacy rights and where they exist within the Constitution.” She explained “[j]ust this recent court ruling that put at risk the little known but vital important provision of the FTC Act 13b, which allows the FTC to go to court to obtain refunds and other redress for consumers–the 10 billion dollars for example in the Volkswagen case–without this provision, the core mission of the FTC would be crippled.”

Cantwell asserted “I think all of these issues, and the important issues of privacy rights, should and will have a fair discussion, if we can have time to discuss them in this process…[and] I believe the issue of how the government interferes in our own privacy rights, whether the government oversteps our privacy rights, is a major issue to be discussed by this body in the next month.” She added “I don’t believe in some of the tactics that government has used to basically invade the privacy rights of individuals.”

Cantwell stated that “next week the minority will be introducing a report that we’ve been working on about the value of local journalism…[and] I believe the famous economist who said that markets need perfect information.” She argued “[w]e’re talking about the fact that if markets are distorted by information, then that really cripples our economy…[and] I think local journalism in a COVID crisis is proving that it’s valued information with the correct information on our local communities, and I think that this is something we need to take into consideration as we consider privacy laws and we consider these issues moving forward.”

Former FTC Commissioner and Microsoft’s Corporate Vice President, Chief Privacy Officer, and Deputy General Counsel for Global Privacy and Regulatory Affairs Julie Brill explained that “Microsoft believes that comprehensive federal privacy legislation should support four key principles: consumer empowerment, transparency, corporate responsibility, and strong enforcement:

  • Consumer Empowerment. Empower consumers with the tools they need to control their personal information, including the ability to make informed choices about the data they provide to companies, to understand what data companies know about them, to obtain a copy of their data, to make sure the data is accurate and up to date, and to delete their data. Americans care deeply about having meaningful control over their data. In just the past nine months, from January 1, 2020 to September 18, 2020, Microsoft received over 14 and a half million unique global visitors to its privacy dashboard, where they were able to exercise their ability to control their data. This continued engagement with the control tools we provide included over 4 and a half million visitors from the United States, representing the greatest level engagement from any single country.
  • Transparency. Require companies to be transparent about their data collection and use practices, by providing people with concise and understandable information about what personal information is collected from them, and how that information is used and shared.
  • Corporate Responsibility. Place direct requirements on companies to ensure that they collect and use consumers’ data in ways that are responsible, and demonstrate that they are worthy stewards of that data.
  • Strong Enforcement. Provide for strong enforcement through regulators, and ensure they have sufficient resources to enforce the legal requirements that organizations must uphold, but also to be well-grounded in the data collection and analysis technologies that are used in the modern digital economy. These are the key elements that are required to build a robust and lasting U.S. privacy law.

George Washington University Law School Professor, King’s College Visiting Professor, and United Kingdom Competition and Markets Authority Non-Executive Director and former FTC Chair William E. Kovacic said:

As Congress defines the substantive commands of a new omnibus law, I suggest a close review of the FTC’s experience in implementing the Telemarketing Sales Rule. To my mind, this experience offers several insights into the design of privacy protections:

  • In addition to unfair or deceptive acts and practices, the definition of forbidden behavior should encompass abusive conduct, as the FTC has developed that concept in the elaboration of the Telemarketing Sales Rule (TSR). I single out 2003 TSR amendments, which established the National Do Not Call Registry, popularly known as the Do Not Call Rule (DNC Rule). In applying the concept of abusive conduct, the DNC Rule used a definition of harm that reached beyond quantifiable economic costs of the challenged practice (i.e., the time lost and inconvenience associated with responding to unwanted telephone calls to the home). The DNC Rule’s theory of harm focused on the fact that, to many citizens, telemarketing calls were annoying, irritating intrusions into the privacy of the home. A new privacy regime could build on this experience and allow privacy regulators, by rulemaking and by law enforcement, to address comparable harms and to create standards that map onto common expectations for data protection and security.
  • The coverage of the omnibus statute should be comprehensive. Privacy authorities should have power to apply the law to all commercial actors (i.e., with no exclusions for specific economic sectors)and to not-for-profit institutions such as charitable bodies and universities.
  • The omnibus law should clarify that its restrictions on the accumulation and use of date about individuals apply to their status as consumers and employees. Since the late 1990s, the FTC at times has engaged in debatable interpretations of its authority under Section 5 of the Federal Trade Commission Act to assure foreign jurisdictions that it has authority to enforce promises regarding the collection and transfer by firms of information about their employees.

Kovacic stated “[w]ith this general framework in mind, my testimony proposes that an omnibus privacy law should enhance the institutional arrangements for administering anew substantive privacy framework. This statement

  • Sets out criteria to assess the performance of the entities implementing U.S. privacy policy, and to determine how to allocate tasks to institutions responsible for policy development and law enforcement.
  • Suggests approaches to increase the coherence and effectiveness of the US privacy system and to make the United States a more effective participant in the development of international privacy policy.
  • Considers whether the FTC, with an enhanced mandate, should serve as the national privacy regulator, or whether the FTC’s privacy operations should be spun off to provide the core of a new privacy institution.

Kovacic explained

This statement concludes that the best solution is to take steps that would enhance the FTC’s role by (a) eliminating gaps in its jurisdiction, (b) expanding its capacity to promote cooperation among agencies with privacy portfolios and to encourage convergence upon superior policy norms, and (c) providing resources necessary to fulfill these duties. The proposal for an enlarged FTC role considers two dimensions of privacy regulation. The first is what might be called the “consumer-facing” elements of a privacy. My testimony deals mainly with the relationship between consumers and enterprises (for-profit firms and not-for-profit institutions, such as universities) that provide them with goods and services. My testimony does not address the legal mechanisms that protect privacy where the actors are government institutions. Thus, I do not examine the appropriate framework for devising and implementing policies that govern data collection and record-keeping responsibilities of federal agencies, such as bodies that conduct surveillance for national security purposes.

21st Century Privacy Coalition Co-Chair and Former FTC Chair Jon Leibowitz asserted:

  • Congress does not need to reinvent the wheel. Many of the elements I would propose are consistent with recommendations made by my former agency in its 2012 Privacy Report, drafted after years of work and engagement with stakeholders of all kinds. Technology will continue to change, but the basic principles enshrined in the Report remain the most effective way to give consumers the protections they deserve.
  • My view, and that of the Report, is that national privacy legislation must give consumers statutory rights to control how their personal information is used and shared, and provide increased visibility into companies’ practices when it comes to managing consumer data. Such an approach should provide consumers with easy-to-understand privacy choices based upon the nature of the information itself—its sensitivity, the risk of consumer harm if such information is the subject of an unauthorized disclosure—and the context in which it is collected. For example, consumers expect sensitive information—including health and financial data, precise geolocation, Social Security numbers, and children’s information—to receive heightened protection to ensure confidentiality.
  • Therefore, a muscular privacy law should require affirmative express consent for the use and sharing of consumers’ sensitive personally identifiable information, and opt-out rights for non-sensitive information. But consumers do not expect to consistently provide affirmative consent to ensure that companies fulfill their online orders or protect them from fraud; thus, inferred consent for certain types of operational uses of information by companies makes sense. Consumers should also have rights of access and deletion where appropriate, and deserve civil rights protections thoughtfully built for the Internet age.
  • Another key tenet of the FTC Report is that privacy should not be about who collects an individual’s personal information, but rather should be about what information is collected and how it is protected and used. That is why federal privacy legislation should be technology- and industry-neutral. Companies that collect, use, or share the same type of covered personal information should not be subject to different privacy requirements based on how they classify themselves in the marketplace.
  • Rigorous standards should be backed up with tough enforcement. To that end, Congress should provide the FTC with the ability to impose civil penalties on violators for first-time offenses, something all of the current Commissioners—and I believe all the former Commissioners testifying here today—support. Otherwise, malefactors will continue to get two bites at the apple of the unsuspecting consumer. And there is no question in my mind that the FTC should have the primary authority to administer the national privacy law. The FTC has the unparalleled institutional knowledge and experience gained from bringing more than 500 cases to protect the privacy and security of consumer information, including those against large companies like Google, Twitter, Facebook, Uber, Dish Network, and others. Congress should not stop there.
  • The way to achieve enhanced enforcement is by giving the FTC, an agency that already punches above its weight, the resources and authority to carry out its mandate effectively. As of 2019, there were fewer employees (“FTEs”) at the agency now than there were in 1980, and the American population has grown by more than 100 million people since then. The number of FTEs has actually decreased since I left the agency in 2013 until this year.
  • Moreover, the FTC clearly has a role to play in developing rules to address details that Congress may not want to tackle in the legislation itself as well as new developments in technology that could overwhelm (or circumvent) enforcement. For that reason, you should give the agency some APA rulemaking authority to effectively implement your law. Having said that, Congress should not overwhelm the FTC with mandated rulemaking after rulemaking, which would only bog the agency down instead of permitting it to focus on enforcing the new law.

California Attorney General Xavier Becerra argued:

  • In the data privacy space, the optimal federal legal framework recognizes that privacy protections must keep pace with innovation, the hallmark of our data-driven economy. State law is the backbone of consumer privacy in the United States. Federal law serves as the glue that ties our communities together. To keep pace, we must all work from the same baseline playbook, but be nimble enough to adapt to real-world circumstances on the field where we meet them. I urge this committee to proceed in your work in a manner that respects—and does not preempt—more rigorous state laws, including those we have in California.
  • Like any law, the CCPA is not perfect, but it is an excellent first step. Consumers deserve more privacy and easier tools. For example, in the regulations implementing the CCPA, the California Department of Justice tried to address the frustration of consumers who must proceed website-by-website, browser-by-browser in order to opt out of the sale of their personal information. One provision of our regulations intended to facilitate the submission of a request to opt-out of sale by requiring businesses to comply when a consumer has enabled a global privacy control at the device or browser level, which should be less time-consuming and burdensome. I urge the technology community to develop consumer-friendly controls to make exercise of the right to opt out of the sale of information meaningful and frictionless. Making technology work for consumers is just as important as the benefits businesses receive in innovating.
  • There are also ways in which CCPA could go further and require refinement of its compliance measures. For example, the CCPA currently only requires disclosure of “categories of sources” from which personal information is collected and “categories of third parties” to whom personal information is sold. More specific disclosures, including the names of businesses that were the source or recipient of the information, should be required so that consumers can know the extent to which their information has been shared, bartered, and sold. If I receive junk mail from a company, I should be able to find out how it got my address and to whom it shared the information so I can stop the downstream purchase of my personal data. For now, businesses are not legally required to share that granularity of information. Consumers should also have the ability to correct the personal information collected about them, so as to prevent the spreading of misinformation.
  • On a broader level, if businesses want to use consumers’ data, they should have a duty to protect and secure it, and wherever feasible, minimize data collection. Businesses should no longer approach consumer data with the mindset, “collect now, monetize later.” There should be a duty imposed to use a consumer’s personal information in accordance with the purposes for which the consumer allowed its collection, and in the consumer’s interest, especially with the collection and storage of sensitive information, like precise geolocation. Although CCPA requires transparent notice at collection, moving beyond a notice-and-consent framework to contemplate use limitations would make our privacy rights more robust and balanced.
  • We need clear lines on what is illegal data use from the context of civil rights protections. Indirect inferences based on personal information should not be used against us in healthcare decisions, insurance coverage or employment determinations. We need greater transparency on how algorithms impact people’s fundamental rights of healthcare, housing and employment, and how they may be perpetuating systemic racism and bias. Predatory online practices, such as increased cross-site tracking after a user browses healthcare websites, must be addressed.
  • Finally, new laws should include a private right of action to complement and fortify the work of state enforcers. While my office is working hard to protect consumer privacy rights in California, and our sister states do the same in their jurisdictions, we cannot do this work alone. While we endeavor to hold companies accountable for violations of privacy laws, trying to defend the privacy rights of 40 million people in California alone is a massive undertaking. Violators know this. They know our scope and reach are limited to remedying larger and more consequential breaches of privacy. Consumers need the authority to pursue remedies themselves for violations of their rights. Private rights of action provide a critical adjunct to government enforcement, and enable consumers to assert their rights and seek appropriate remedies. Consumer privacy must be real, it deserves its day in court.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by KaraSuva from Pixabay

Senate Judiciary Hearing On Google

A committee looks at the possible antitrust practices of Google in the adtech market.

The Senate Judiciary Committee’s Antitrust, Competition Policy & Consumer Rights Subcommittee will hold a hearing on 15 September titled “Stacking the Tech: Has Google Harmed Competition in Online Advertising?.” In their press release announcing the hearing, Chair Mike Lee (R-UT) and Ranking Member Amy Klobuchar (D-MN) asserted:

Google is the dominant player in online advertising, a business that accounts for around 85% of its revenues and which allows it to monetize the data it collects through the products it offers for free. Recent consumer complaints and investigations by law enforcement have raised questions about whether Google has acquired or maintained its market power in online advertising in violation of the antitrust laws. News reports indicate this may also be the centerpiece of a forthcoming antitrust lawsuit from the U.S. Department of Justice. This hearing will examine these allegations and provide a forum to assess the most important antitrust investigation of the 21st century.

Chair Mike Lee (R-UT) said the focus of the hearing is Google’s online advertising business and whether it is monopolist or has engaged in any conduct that harms competition and consumers. He said he would discuss antitrust policy more broadly before discussing Google. Lee remarked he has served on the subcommittee for nine years, six of which as chair, and during this period antitrust policy has evolved and a gulf has widened between the two sides of the issue. He claimed there are those who would like to see no antitrust laws at all, while others are overly deferential to speculative efficiencies, quick to dismiss actual evidence of competitive harm when it might conflict with unproven economic theories. Lee argued this end of the spectrum fetishizes freedom even when harm might endanger freedom. He claimed they forget that markets, like governments, do not keep themselves free, and that liberty s only secure when power is diffused.

Lee said at the other extreme is a line of arguments that has been pushing for years an agenda to transform antitrust laws from a tool based in economic science to protect and promote competitive markets into a panacea for all their perceived social ills. He said built on the myopic economic presence that big is bad, which is, to them, the beginning and end of the question, some at this end of the spectrum would use antitrust policy to address labor, racial, and income disparities. Lee conceded these may be laudable goals, but these are not problems antitrust law is meant to solve nor are they goals antitrust law is capable of solving, at least not without creating a host of other problems. He argued that attempts to repurpose antitrust law into a social justice program would have scores of unintended consequences that would cripple the United States’ (U.S.) economy for generations. He noted there is hypocrisy in thinking big is bad only applies to corporations and not to government bureaucracy, the type needed to dismantle large companies and regulate them.

Lee said he is on the side of the American people, the law, and vigorous enforcement of antitrust laws that have made the U.S. the most prosperous nation on earth. He asserted that already enacted laws are, for the most part, sufficient to meet the challenges of the day. Lee reiterated the maxim that liberty is only secure when power is diffused, a principle central to the U.S.’ Constitutional Republic. Lee claimed the concept of federalism, perhaps the greatest contribution of the founding generation, is what makes the U.S. unique among all other nations. He stated this principle applies to economic power as it does to political power. Lee contended that antitrust laws may be properly described as federalism for the economy.

Lee said that hearing is focused on what may prove the seminal antitrust case of the 21st Century that may define the terms of competition and innovation in the U.S.’ dynamic economy for years and decades to come. He said unlike some of his House colleagues, he has no interest in staging a political spectacle to attack, condescend, and talk over witnesses. Lee remarked naïve though it may be in 2020, he said his hope is that by looking at this specific question, the subcommittee can have a serious and frank conversation about the state of competition in digital markets. He declared that online advertising is an incredibly complex business, one that touches every single person on the internet.

Lee explained the technologies that connect publishers and advertisers have evolved rapidly over the last decade, and he expansion of online advertising has facilitated an explosion of online content by allowing even the smallest website owner to monetize the content they produce. He said small and local businesses have also benefitted from being able to quickly and easily promote their businesses without any of the same capital investments that would have been required just a few decades ago. Lee admitted that at the same time, this growth and expansion has been largely consolidated onto a single platform, Google’s online ad business. He said that as business has grown, so, too, have complaints that Google, which operates both the ad selling and ad buying platforms and then sells its own inventory through those platforms has given rise to conflicts of interest and claims it has rigged online ad auction technology to favor its own interests and protect its own market share. Lee said whether this is true or not matters because so many businesses depend upon digital advertising to market their products or to monetize the content they produce. Web users in turn benefit from free online content and being connected to relevant businesses in a way that helps to make optimal business decisions. Lee said, simply put, markets function better when businesses thrive, and consumers are informed. He asserted ideally online advertising helps accomplish this, but, if, on the other hand, online advertising has been monopolized and constrained by opaque pricing and exclusionary conditions, everyone loses to that degree. Lee added that Google and other big tech companies have been accused of other bad acts unrelated to antitrust or competition, and he said he has repeatedly expressed his concern about anti-conservative bias by these firms. He pledged to continue to pursue these concerns but added that while his concerns about anti-conservative bias may have implications for antitrust like market power, today’s hearing is not fundamentally about those concerns.

Ranking Member Amy Klobuchar (D-MN) explained

  • We are not having this hearing because Google is successful. Google is successful. I just used it on my way here. Or because Google is big. That’s not why,from my perspective, we’re having this hearing. We are having it because even successful companies, even popular companies, and even innovative companies are subject to the laws of this country including our antitrust laws. 
  • We are all successful when we make sure that our economy is strong and our economy is working better. But the law can’t be blinded by Google’s success or its past innovations if the company in its zeal to achieve greater success crosses a line into anticompetitive behavior. It’s our job to regulate it. It’s that simple. So we’re going to touch on issues, I hope, today of competition, technological innovation, the use of personal data. These are some of the defining issues, as the chair has said, defining issues of our time and I personally think, as we go into the months to come, this won’t just be about Google. This isn’t even just about the tech industry as much as I believe we need to change our laws and look at monopsonies and look at changing the burdens and making it so that our laws are as sophisticated as the companies that now occupy our economy.

Klobuchar asserted:

  • I think we need to do all that and I think it should be a huge priority going into the year. But right now as the chairman mentioned, we are focused on this issue today. Our society has never been more dependent on this technology than we are now in the midst of this global pandemic. As I noted, not just Google, the pandemic has forced a bunch of small businesses to close their doors and the five largest tech companies continue to thrive to the point where they briefly accounted for nearly 25% value of the entire S&P 500 stock index just a few weeks ago.
  • Again, I don’t quarrel with their success, but we have to start looking at do our laws really match that situation. And even if the original intent when these companies started as start-ups was to be innovative, which they’ve been, at what point do you cross the line so you squelch innovation and competition from other companies? We start with this, the ownership and use of data.
  • The powerful companies that provide us with these technologies are also collecting personal information. We know that. They know who our friends are, they know the books we read, where we live, whether we’ve graduated from college, income levels, race, how many steps we took yesterday. The chairman and I share an interest in this. How long we’ve stayed where we are. Machine learning analyzes troves of personal data, allowing our firms to discern even more sensitive information about us, our medical conditions, political, religious views and even preferences that we don’t even know we have. And why would companies do all of this? Well, put simply, to target us with digital advertisements. There’s really no other reason. It is a capitalist society. That’s what they do.

Klobuchar stated

  • Now, Google makes more money doing that than any company in the world, hands down, by leveraging its unmatched access to consumer data gained through its existing dominance in online and mobile search, mobile operating systems, Android, email, Gmail, online and mobile video, YouTube, browsers, Chrome, mobile mapping apps, Google maps and ad technology.
  • So, this ad technology ecosystem, known as the ad tech stack, consists of advertisers on one side and publishers on the other. So let’s look at these two sides. On the advertising side Google controls access to the huge number of advertisers that place ads on Google search which is nearly 90% of the search market and has unparalleled access to data as I described. On the publisher side, Google has privileged access to ad data to inform its bidding strategies. And then it also effectively controls the process, the ad auction process, that gets an advertiser’s ad to be put on a publisher’s site. Google dominates all the markets for services on both sides of the ad/tech stack, the publisher side and the advertising side, and I hope that will be a lot of our focus today. Research has suggested that Google may be taking between 30 and 70 percent of every advertising dollar spent by advertisers using its services depriving publishers of that revenue. Who are the publishers? They’re content producers. They’re things like the Minneapolis Star Tribune, they depend on revenue, so many of our content producers, our news producers do to get by.  
  • And to me, given that my dad was a journalist, to me this is one of the key elements here because if you have unfairness in how that ad echo system is going, then you’re depriving these news organizations at a time when the first amendment is already under assault of the revenue that they need to keep going. So whether it’s happening, and we don’t know all of the details at the Department of Justice right now, this could be the beginning of a reckoning for our antitrust laws to start looking at how we’re going to grapple with the new kinds of markets that we see across the country. It would help answer the question whether our federal antitrust laws are able to restrain the business conduct of even the largest, most successful companies in the world. When you think of the breakup of AT&T, that was our last big thing that happened in the antitrust area. Really big thing. What did that lead to? Lower prices, more competition. It really worked. But we’re not able to do this right now.
  • And my hope is that we’re getting the start and the Justice Department, that things are going on at the FTC. But to really do that, they’re going to do resources to take on the legions of lawyers at the companies and that’s my first goal. What can we do for enforcement? My second, what do we have to do to make the laws work better, to look at some of the deals that have already been made? The third is what are the remedies? Do they make a difference in changing the behavior and allowing competition? I literally don’t have personal grudges against these companies like sometimes the president has expressed about various companies. I don’t. I just want our capitalist system to work. I want it to work. And to have it work you simply can’t have one company dominating areas of an industry. Our Founding Fathers started this country in part because they were rebelling against monopoly power.

Google Global Partnerships and Corporate Development President Donald Harrison stated

  • Online advertising prices in the U.S. have fallen more than 40% since 2010. According to the Progressive Policy Institute, “for every $3 that an advertiser spends on digital advertising, they would have to spend $5 on print advertising to get the same impact.” As a result, the share of U.S. GDP going to advertising in media has declined roughly 25% in recent years. The benefits of these lower prices ow directly to American businesses and consumers.
  • We help businesses grow from advertising on (1) our own sites, and (2) other publishers’ sites.
    • Advertising on Google sites and apps
    • A wide range of businesses, including many small firms, advertise on our sites and apps like Google Search and YouTube. That’s where we earn the majority of our advertising revenue.
    • We show no ads — and make no money — on the vast majority of searches. We show ads only on a small fraction of searches, typically those with commercial intent, such as searches for “sneakers” or “toaster.” We face intense competition for these types of searches. An estimated 55 percent of Americans start product searches on Amazon, not Google. And many online shoppers use Walmart, eBay, and other sites. For travel searches, many go to Expedia, Kayak, Orbitz, and TripAdvisor. Facebook, Bing, Twitter, Snap, Pinterest, and many more compete with us for a range of commercial advertisements.
    • Advertising on non-Google sites and apps
    • In addition to ads on our own properties, Google also helps businesses advertise on a wide range of other websites and mobile applications, known as “publishers.” We offer technology that (1) helps advertisers buy ad space — known as the “buy side,” and (2) helps publishers sell their ad space — known as the “sell side.” This technology is often referred to as “ad tech.”
    • The ad tech portion of our business accounts for a small fraction of our advertising revenue. And we share the majority of that revenue with publishers. Publishers get paid for every impression — each time an ad is viewed — even if the ad is never clicked. Of the revenue we retain, a large portion goes to defray the costs of running this complex and evolving business.
  • A crowded and competitive ad tech ecosystem
    • The ad tech space is crowded and competitive. Thousands of companies, large and small, work together and in competition with each other, each with different specialties and technologies. We compete with Adobe, Amazon, AT&T, Comcast, Facebook, News Corporation, Oracle, and Verizon, as well as leaders like Index Exchange, Magnite, MediaMath, OpenX, The Trade Desk, and many more.
  • Google shares billions of dollars with publishers, more than the industry average.
    • Even as online ad prices and ad tech fees have fallen, benefiting businesses and consumers, Google has helped publishers make more money from ads. In 2018, we paid more than $14 billion to the publishing partners in our ad network — up from $10 billion in 2015.
    • In 2019, when both advertisers and publishers used our tools, publishers kept over 69 percent of the ad revenue — more than the industry average. And when publishers use our tools to sell directly to advertisers, they keep even more of the revenue.

Chalice Custom Algorithms Chief Executive Officer Adam Heimlich contended

  • In 2016, Google combined search and display data, breaking a promise made to American regulators. Google also broke the industry’s privacy standard by linking consumers’ names, from Gmail, to the ID numbers assigned to browsers for exchange transactions.
  • Continuously, from 2016, Google came up with new ways to pollute the exchange ecosystem they’d previously seemed to embrace. Pollution came in the form of restrictions and exclusions that made the open web less efficient for buyers and sellers.
  • Google took YouTube, Google’s most valuable display property, off the exchanges, while making it available through an exclusive “pipe” from Google’s exchange bidder. Google excluded data providers from its websites and measurement partners from its platforms. Google’s selling platform denied publishers’ demand for a unified, exchange- vs-exchange action. To keep publishers from getting rid of Google’s software, Google funnels exclusive display demand from its search platform through it. Google weaponized new privacy laws to restrict advertisers’ and publishers’ access to their own ad data in Google tools.
  • Google tightened ties among its products until the shady broker was no longer one among a set of competitors: Google became the only display company not hobbled by the exclusions and restrictions it’d placed on everyone else. The power to interoperate among buy-side, sell-side and measurement software went from being a feature of the exchange ecosystem to a capability exclusive to Google.
  • Now, progress on innovation is squeezed to the margins of the industry, and new adtech is rare. The majority of advertisers have stagnated or regressed.
  • There’s more at stake than most people realize. The more efficient the ad market, the more likely it is that superior new products will find customers and thrive. When the ad exchanges function properly, the size advantage from flooding the airwaves is offset by quieter voices speaking directly to whoever’s most open to any given improvement. It tilts the incentives of every business toward innovation.
  • Google is dominating display by breaking interoperability and subtracting the efficiencies of a symmetrical market. Pre-2016, under intense competitive pressure, ad exchanges were becoming more transparent and privacy-respectful as the ecosystem grew. Google could have coped with these developments without using its market power destructively: There was nothing to stop Google from exiting the arena or competing within its open standards. Whether or not Google competes with other big tech firms is irrelevant to the harms they’ve caused publishers, measurement companies, platforms and small businesses like mine in the ~$50B open web display market.
  • It was efficient when publishers, platforms, measurement tools and service providers all interoperated. Innovators of a great new product or service could access a global marketplace of thousands of buyers and sellers quickly at low cost. Small businesses with great ideas had a shorter ramp to success.
  • Now, funding for new adtech startups has been drying up and the pace of innovation slowed down. The number-one concern I hear from potential investors is Google’s domination of the market my company operates in. For years, they’ve been breaking existing efficiencies and preventing the development of new ones.
  • Many expect Google to successfully mislead regulators about its conduct in the open web, and its harmful effects. I’m grateful for the opportunity to help scrutinize Google’s claims. For the sake of competition, the innovation competition drives and the benefits innovation brings, Google should be forced to either exit the ad exchange market or compete within its open standards.

Omidyar Network Beneficial Technology Senior Advisor David Dinielli stated

  • [U]nder current law, there is a strong case to be made that Google has illegally monopolized, or illegally maintained a monopoly in, the market for digital advertising on what is termed the “open web,” i.e., advertising that appears on websites as users traverse the internet.
  • Through a variety of conduct described herein, Google now occupies every layer the “ad tech stack”—a term that describes the various functions that serve to match website publishers with the advertisers who seek to deliver targeted ads to consumers who are viewing those websites. In antitrust parlance, website publishers provide the “supply” of ad space, and advertisers create the “demand” for that space. The market for this sort of advertising is unique and appears on its face dysfunctional from an antitrust standpoint: Google—through its various ad tech tools – represents both the suppliers and the purchasers and also conducts the real-time auctions that match buyers and sellers and determine the price. Moreover, Google appears to have engaged in a multitude of anti-competitive acts, such as making the ad space on YouTube (which it owns) available exclusively through its own ad tech tools, that were designed to cement its lock on this market and exclude competitors. As my co-author and I said in a recent paper about the digital advertising market, “all roads lead through Google.”
  • Google has asserted that the digital advertising market is vibrant and competitive, and that publishers and advertisers have many options in buying and selling advertising space. Of course, it is not surprising that there are other some other actors in this market, given the significant profits to be made. But a recent report from the United Kingdom’s Competition and Markets Authority (“CMA”) explained, based on an extensive factual investigation, that Google holds a dominant position—as high as 90%—in every layer of the ad tech stack. Moreover, a monopolization case in the U.S. does not require proof that the alleged monopolist hold 100% of a particular market—which would make it literally a monopolist—but rather that it has “monopoly power” and that it has engaged in anticompetitive conduct to obtain or maintain that power rather than competing on the merits. Google’s conduct as described herein surely fits that standard.
  • Digital advertising is complex and the tools and processes that allow for near- instantaneous placement of ads every time we open a web page can seem opaque. But the consequences of unchecked power in this market are significant. If advertisers are paying higher prices than would obtain in a well-functioning market, economic theory teaches that those higher advertising prices will be passed down to consumers in the form of increased prices for goods and services. If website publishers, such as local news outlets, are being paid less than they should for their supply of advertising space, they will invest less in content creation and news gathering. Google is the winner and the rest of us are the losers. This committee therefore is right in investigating if current antitrust law is up to the task of ensuring competition in digital advertising and exploring possible legislative fixes if it is not.

Netchoice Vice President and General Counsel Carl Szabo stated

  • Among the many Google products and services that consumers love are Google Search, YouTube, Gmail, and Google Drive—all amazingly useful, and all free. To many critics of “Big Tech,” however, when consumers enthusiastically choose these free-of-charge products, it amounts to proof that something must be wrong. Every successful new service or product that proves a winner with consumers is deemed by these critics to be just another antitrust violation.
  • But Google’s greatest successes are being won in markets with the greatest competition. In the digital ads market, for example, Google faces fierce competitive pressure. You would never know that listening to the critics.
  • For starters, Google is no monopoly. It’s wildly popular with consumers, yes. And true, it’s also very popular with investors. But the company faces competition from all corners, including from other tech platforms such as Facebook and Amazon (which are simultaneously and thus illogically also dubbed monopolies).
  • Far from being evidence of any unlawful conduct, Google’s success under these conditions offers abundant proof that it is meeting and exceeding the fundamental test that has been the bedrock of antitrust law for the last 40 decades: are consumers benefitting? There can be little doubt on this point, for Google’s users vote daily with their choices. In order to dismiss this as irrelevant, the critics are now arguing that antitrust enforcement should simply abandon the consumer welfare standard, enabling them to attack “bigness” per se. This would undermine the very purpose of antitrust law since its inception more than a century ago.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Morning Brew on Unsplash

Further Reading, Other Developments, and Coming Events (17 August)

Here are Coming Events, Other Developments, and Further Reading.

Coming Events

  • On 18 August, the National Institute of Standards and Technology (NIST) will host the “Bias in AI Workshop, a virtual event to develop a shared understanding of bias in AI, what it is, and how to measure it.”
  • The United States’ Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) announced that its third annual National Cybersecurity Summit “will be held virtually as a series of webinars every Wednesday for four weeks beginning September 16 and ending October 7:”
    • September 16: Key Cyber Insights
    • September 23: Leading the Digital Transformation
    • September 30: Diversity in Cybersecurity
    • October 7: Defending our Democracy
    • One can register for the event here.
  • The Senate Judiciary Committee’s Antitrust, Competition Policy & Consumer Rights Subcommittee will hold a hearing on 15 September titled “Stacking the Tech: Has Google Harmed Competition in Online Advertising?.” In their press release, Chair Mike Lee (R-UT) and Ranking Member Amy Klobuchar (D-MN) asserted:
    • Google is the dominant player in online advertising, a business that accounts for around 85% of its revenues and which allows it to monetize the data it collects through the products it offers for free. Recent consumer complaints and investigations by law enforcement have raised questions about whether Google has acquired or maintained its market power in online advertising in violation of the antitrust laws. News reports indicate this may also be the centerpiece of a forthcoming antitrust lawsuit from the U.S. Department of Justice. This hearing will examine these allegations and provide a forum to assess the most important antitrust investigation of the 21st century.
  • On 22 September, the Federal Trade Commission (FTC) will hold a public workshop “to examine the potential benefits and challenges to consumers and competition raised by data portability.” By 21 August, the FTC “is seeking comment on a range of issues including:
    • How are companies currently implementing data portability? What are the different contexts in which data portability has been implemented?
    • What have been the benefits and costs of data portability? What are the benefits and costs of achieving data portability through regulation?
    • To what extent has data portability increased or decreased competition?
    • Are there research studies, surveys, or other information on the impact of data portability on consumer autonomy and trust?
    • Does data portability work better in some contexts than others (e.g., banking, health, social media)? Does it work better for particular types of information over others (e.g., information the consumer provides to the business vs. all information the business has about the consumer, information about the consumer alone vs. information that implicates others such as photos of multiple people, comment threads)?
    • Who should be responsible for the security of personal data in transit between businesses? Should there be data security standards for transmitting personal data between businesses? Who should develop these standards?
    • How do companies verify the identity of the requesting consumer before transmitting their information to another company?
    • How can interoperability among services best be achieved? What are the costs of interoperability? Who should be responsible for achieving interoperability?
    • What lessons and best practices can be learned from the implementation of the data portability requirements in the GDPR and CCPA? Has the implementation of these requirements affected competition and, if so, in what ways?”
  • The Federal Communications Commission (FCC) will hold an open meeting on 30 September, but an agenda is not available at this time.

Other Developments

  • On 14 August, the California Office of Administrative Law (OAL) approved the Attorney General’s proposed final regulations to implement the California Consumer Privacy Act (CCPA) (A.B.375) and they took effect that day. The Office of the Attorney General (OAG) had requested expedited review so the regulations may become effective on 1 July as required by the CCPA. With respect to the substance, the final regulations are very similar to the third round of regulations circulated for comment in March, in part, in response to legislation passed and signed into law last fall that modified the CCPA.
    • The OAL released an Addendum to the Final Statement of Reasons and explained
      • In addition to withdrawing certain provisions for additional consideration, the OAG has made the following non-substantive changes for accuracy, consistency, and clarity. Changes to the original text of a regulation are non-substantive if they clarify without materially altering the requirements, rights, responsibilities, conditions, or prescriptions contained in the original text.
    • For further reading on the third round of proposed CCPA regulations, see this issue of the Technology Policy Update, for the second round, see here, and for the first round, see here. Additionally, to read more on the legislation signed into law last fall, modifying the CCPA, see this issue.
    • Additionally, Californians for Consumer Privacy have succeeded in placing the “California Privacy Rights Act” (CPRA) on the November 2020 ballot. This follow on statute to the CCPA could again force the legislature into making a deal that would revamp privacy laws in California as happened when the CCPA was added to the ballot in 2018. It is also possible this statute remains on the ballot and is added to California’s laws. In either case, much of the CCPA and its regulations may be moot or in effect for only the few years it takes for a new privacy regulatory structure to be established as laid out in the CPRA. See here for more detail.
  • In a proposed rule issued for comment, the Federal Communications Commission (FCC) explained it is taking “further steps to protect the nation’s communications networks from potential security threats as the [FCC] integrates provisions of the recently enacted Secure and Trusted Communications Networks Act of 2019 (Secure Networks Act) (P.L. 116-124) into its existing supply chain rulemaking proceeding….[and] seeks comment on proposals to implement further Congressional direction in the Secure Networks Act.” Comments are due by 31 August.
    • The FCC explained
      • The concurrently adopted Declaratory Ruling finds that the 2019 Supply Chain Order, 85 FR 230, January 3, 2020, satisfies the Secure Networks Act’s requirement that the Commission prohibit the use of funds for covered equipment and services. The Commission now seeks comment on sections 2, 3, 5, and 7 of the Secure Networks Act, including on how these provisions interact with our ongoing efforts to secure the communications supply chain. As required by section 2, the Commission proposes several processes by which to publish a list of covered communications equipment and services. Consistent with sections 3, 5, and 7 of the Secure Networks Act, the Commission proposes to (1) ban the use of federal subsidies for any equipment or services on the new list of covered communications equipment and services; (2) require that all providers of advanced communications service report whether they use any covered communications equipment and services; and (3) establish regulations to prevent waste, fraud, and abuse in the proposed reimbursement program to remove, replace, and dispose of insecure equipment.
    • The agency added
      • The Commission also initially designated Huawei Technologies Company (Huawei) and ZTE Corporation (ZTE) as covered companies for purposes of this rule, and it established a process for designating additional covered companies in the future. Additionally, last month, the Commission’s Public Safety and Homeland Security Bureau issued final designations of Huawei and ZTE as covered companies, thereby prohibiting the use of USF funds on equipment or services produced or provided by these two suppliers.
      • The Commission takes further steps to protect the nation’s communications networks from potential security threats as it integrates provisions of the recently enacted Secure Networks Act into the Commission’s existing supply chain rulemaking proceeding. The Commission seeks comment on proposals to implement further Congressional direction in the Secure Networks Act.
  • The White House’s Office of Science & Technology Policy (OSTP) released a request for information (RFI) “[o]n behalf of the National Science and Technology Council’s (NSTC) Subcommittee on Resilience Science and Technology (SRST), OSTP requests input from all interested parties on the development of a National Research and Development Plan for Positioning, Navigation, and Timing (PNT) Resilience.” OSTP stated “[t]he plan will focus on the research and development (R&D) and pilot testing needed to develop additional PNT systems and services that are resilient to interference and manipulation and that are not dependent upon global navigation satellite systems (GNSS)…[and] will also include approaches to integrate and use multiple PNT services for enhancing resilience. The input received on these topics will assist the Subcommittee in developing recommendations for prioritization of R&D activities.”
    • Executive Order 13905, Strengthening National Resilience Through Responsible Use of Positioning, Navigation, and Timing Services, was issued on February 12, 2020, and President Donald Trump explained the policy basis for the initiative:
      • It is the policy of the United States to ensure that disruption or manipulation of PNT services does not undermine the reliable and efficient functioning of its critical infrastructure. The Federal Government must increase the Nation’s awareness of the extent to which critical infrastructure depends on, or is enhanced by, PNT services, and it must ensure critical infrastructure can withstand disruption or manipulation of PNT services. To this end, the Federal Government shall engage the public and private sectors to identify and promote the responsible use of PNT services.
    • In terms of future steps under the EO, the President directed the following:
      • The Departments of Defense, Transportation, and Homeland Security must use the PNT profiles in updates to the Federal Radionavigation Plan.
      • The Department of Homeland Security must “develop a plan to test the vulnerabilities of critical infrastructure systems, networks, and assets in the event of disruption and manipulation of PNT services. The results of the tests carried out under that plan shall be used to inform updates to the PNT profiles…”
      • The heads of Sector-Specific Agencies (SSAs) and the heads of other executive departments and agencies (agencies) coordinating with the Department of Homeland Security, must “develop contractual language for inclusion of the relevant information from the PNT profiles in the requirements for Federal contracts for products, systems, and services that integrate or utilize PNT services, with the goal of encouraging the private sector to use additional PNT services and develop new robust and secure PNT services. The heads of SSAs and the heads of other agencies, as appropriate, shall update the requirements as necessary.”
      • the Federal Acquisition Regulatory Council, in consultation with the heads of SSAs and the heads of other agencies, as appropriate, shall incorporate the [contractual language] into Federal contracts for products, systems, and services that integrate or use PNT services.
      • The Office of Science and Technology Policy (OSTP) must “coordinate the development of a national plan, which shall be informed by existing initiatives, for the R&D and pilot testing of additional, robust, and secure PNT services that are not dependent on global navigation satellite systems (GNSS).”
  • An ideologically diverse bipartisan group of Senators wrote the official at the United States Department of Justice in charge of the antitrust division and the chair of the Federal Trade Commission (FTC) “regarding allegations of potentially anticompetitive practices and conduct by online platforms toward content creators and emerging competitors….[that] stemmed from a recent Wall Street Journal report that Alphabet Inc., the parent company of Google and YouTube, has designed Google Search to specifically give preference to YouTube and other Google-owned video service providers.”
    • The Members asserted
      • There is no public insight into how Google designs its algorithms, which seem to deliver up preferential search results for YouTube and other Google video products ahead of other competitive services. While a company favoring its own products, in and of itself, may not always constitute illegal anticompetitive conduct, the Journal further reports that a significant motivation behind this action was to “give YouTube more leverage in business deals with content providers seeking traffic for their videos….” This exact conduct was the topic of a Senate Antitrust Subcommittee hearing led by Senators Lee and Klobuchar in March this year.
    • Senators Thom Tillis (R-NC), Mike Lee (R-UT), Amy Klobuchar (D-MN), Richard Blumenthal (D-CT), Marsha Blackburn (R-TN), Josh Hawley (R-MO), Elizabeth Warren (D-MA), Mazie Hirono (D-HI), Cory Booker (D-NJ) and Ted Cruz (R-TX) signed the letter.
  • The National Security Agency (NSA) and the Federal Bureau of Investigation (FBI) released a “Cybersecurity Advisory [and a fact sheet and FAQ] about previously undisclosed Russian malware” “called Drovorub, designed for Linux systems as part of its cyber espionage operations.” The NSA and FBI asserted “[t]he Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165” developed and deployed the malware. The NSA and FBI stated the GRU and GTsSS are “sometimes publicly associated with APT28, Fancy Bear, Strontium, and a variety of other identities as tracked by the private sector.”
    • The agencies contended
      • Drovorub represents a threat to National Security Systems, Department of Defense, and Defense Industrial Base customers that use Linux systems. Network defenders and system administrators can find detection strategies, mitigation techniques, and configuration recommendations in the advisory to reduce the risk of compromise.
  • The United States Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) published Cybersecurity Best Practices for Operating Commercial Unmanned Aircraft Systems (UAS) “a companion piece to CISA’s Foreign Manufactured UASs Industry Alert,…[to] assist in standing up a new UAS program or securing an existing UAS program, and is intended for information technology managers and personnel involved in UAS operations.” CISA cautioned that “[s]imilar to other cybersecurity guidelines and best practices, the identified best practices can aid critical infrastructure operators to lower the cybersecurity risks associated with the use of UAS, but do not eliminate all risk.”
  • The United States Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) released the “Identity, Credential, and Access Management (ICAM) Value Proposition Suite of documents in collaboration with SAFECOM and the National Council of Statewide Interoperability Coordinators (NCSWIC), Office of the Director of National Intelligence (ODNI), and Georgia Tech Research Institute (GTRI)…[that] introduce[] ICAM concepts, explores federated ICAM use-cases, and highlights the potential benefits for the public safety community:”
    • ICAM Value Proposition Overview
      • This document provides a high-level summary of federated ICAM benefits and introduces domain-specific scenarios covered by other documents in the suite.
    • ICAM Value Proposition Scenario: Drug Response
      • This document outlines federated ICAM use cases and information sharing benefits for large-scale drug overdose epidemic (e.g., opioid, methamphetamine, and cocaine) prevention and response.

Further Reading

  • Trump’s Labor Chief Accused of Intervening in Oracle Pay Bias Case” By Noam Scheiber, David McCabe and Maggie Haberman – The New York Times. In the sort of conduct that is apparently the norm across the Trump Administration, there are allegations that the Secretary of Labor intervened in departmental litigation to help a large technology firm aligned with President Donald Trump. Starting in the Obama Administration and continuing into the Trump Administration, software and database giant Oracle was investigated, accused, and sued for paying non-white, non-male employees significantly less in violation of federal and state law. Estimates of Oracle’s liability ranged between $300-800 million, and litigators in the Department of Labor were seeking $400 million and had taken the case to trial. Secretary Eugene Scalia purportedly stepped in and lowered the dollar amount to $40 million and the head litigator is being offered a transfer from Los Angeles to Chicago in a division in which she has no experience. Oracle’s CEO Safra Catz and Chair Larry Ellison have both supported the President more enthusiastically and before other tech company heads engaged.
  • Pentagon wins brief waiver from government’s Huawei ban” By Joe Gould – Defense News. A Washington D.C. trade publication is reporting the Trump Administration is using flexibility granted by Congress to delay the ban on contractors using Huawei, ZTE, and other People’s Republic of China (PRC) technology for the Department of Defense. Director of National Intelligence John Ratcliffe granted the waiver at the request of Under Secretary of Defense for Acquisition and Sustainment Ellen Lord, claiming:
    • You stated that DOD’s statutory requirement to provide for the military forces needed to deter war and protect the security of out country is critically important to national security. Therefore, the procurement of goods and services in support of DOD’s statutory mission is also in the national security interests of the United States.
    • Section 889 of the “John S. McCain National Defense Authorization Act (NDAA) for FY 2019” (P.L. 115-232) requires agencies to remove this equipment and systems and also not to contract with private sector entities that use such equipment and services. It is the second part of the ban the DOD and its contractors are getting a reprieve from for an interim rule putting in place such a ban was issued last month.
  • DOD’s IT supply chain has dozens of suppliers from China, report finds” By Jackson Barnett – fedscoop. A data analytics firm, Govini, analyzed a sample of prime contracts at the Department of Defense (DOD) and found a surge in the presence of firms from the People’s Republic of China (PRC) in the supply chains in the software and information technology (IT) sectors. This study has obvious relevance to the previous article on banning PRC equipment and services in DOD supply chains.
  • Facebook algorithm found to ‘actively promote’ Holocaust denial” by Mark Townsend – The Guardian. A British counter-hate organization, the Institute for Strategic Dialogue (ISD), found that Facebook’s algorithms lead people searching for the Holocaust to denial sites and posts. The organization found the same problem on Reddit, Twitter, and YouTube, too. ISD claimed:
    • Our findings show that the actions taken by platforms can effectively reduce the volume and visibility of this type of antisemitic content. These companies therefore need to ask themselves what type of platform they would like to be: one that earns money by allowing Holocaust denial to flourish, or one that takes a principled stand against it.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by Foundry Co from Pixabay

Further Reading, Other Developments, and Coming Events (15 August)

Here are Further Reading, Other Developments, and Coming Events.

Coming Events

  • On 18 August, the National Institute of Standards and Technology (NIST) will host the “Bias in AI Workshop, a virtual event to develop a shared understanding of bias in AI, what it is, and how to measure it.”
  • The United States’ Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) announced that its third annual National Cybersecurity Summit “will be held virtually as a series of webinars every Wednesday for four weeks beginning September 16 and ending October 7:”
    • September 16: Key Cyber Insights
    • September 23: Leading the Digital Transformation
    • September 30: Diversity in Cybersecurity
    • October 7: Defending our Democracy
    • One can register for the event here.
  • The Senate Judiciary Committee’s Antitrust, Competition Policy & Consumer Rights Subcommittee will hold a hearing on 15 September titled “Stacking the Tech: Has Google Harmed Competition in Online Advertising?.” In their press release, Chair Mike Lee (R-UT) and Ranking Member Amy Klobuchar (D-MN) asserted:
    • Google is the dominant player in online advertising, a business that accounts for around 85% of its revenues and which allows it to monetize the data it collects through the products it offers for free. Recent consumer complaints and investigations by law enforcement have raised questions about whether Google has acquired or maintained its market power in online advertising in violation of the antitrust laws. News reports indicate this may also be the centerpiece of a forthcoming antitrust lawsuit from the U.S. Department of Justice. This hearing will examine these allegations and provide a forum to assess the most important antitrust investigation of the 21st century.
  • On 22 September, the Federal Trade Commission (FTC) will hold a public workshop “to examine the potential benefits and challenges to consumers and competition raised by data portability.” By 21 August, the FTC “is seeking comment on a range of issues including:
    • How are companies currently implementing data portability? What are the different contexts in which data portability has been implemented?
    • What have been the benefits and costs of data portability? What are the benefits and costs of achieving data portability through regulation?
    • To what extent has data portability increased or decreased competition?
    • Are there research studies, surveys, or other information on the impact of data portability on consumer autonomy and trust?
    • Does data portability work better in some contexts than others (e.g., banking, health, social media)? Does it work better for particular types of information over others (e.g., information the consumer provides to the business vs. all information the business has about the consumer, information about the consumer alone vs. information that implicates others such as photos of multiple people, comment threads)?
    • Who should be responsible for the security of personal data in transit between businesses? Should there be data security standards for transmitting personal data between businesses? Who should develop these standards?
    • How do companies verify the identity of the requesting consumer before transmitting their information to another company?
    • How can interoperability among services best be achieved? What are the costs of interoperability? Who should be responsible for achieving interoperability?
    • What lessons and best practices can be learned from the implementation of the data portability requirements in the GDPR and CCPA? Has the implementation of these requirements affected competition and, if so, in what ways?”
  • The Federal Communications Commission (FCC) will hold an open meeting on 30 September, but an agenda is not available at this time.

Other Developments

  • The Global Engagement Center (GEC) at the U.S. Department of State published the “GEC Special Report: Pillars of Russia’s Disinformation and Propaganda Ecosystem” The GEC drew on “on publicly available reporting to provide an overview of Russia’s disinformation and propaganda ecosystem.”  The GEC identified the five pillars of Russia’s Disinformation and Propaganda Ecosystem:
    • official government communications;
    • state-funded global messaging;
    • cultivation of proxy sources;
    • weaponization of social media; and
    • cyber-enabled disinformation.
    • The GEC stated
      • This report provides a visual representation of the ecosystem described above, as well as an example of the media multiplier effect it enables. This serves to demonstrate how the different pillars of the ecosystem play distinct roles and feed off of and bolster each other. The report also includes brief profiles of select proxy sites and organizations that occupy an intermediate role between the pillars of the ecosystem with clear links to Russia and those that are meant to be fully deniable. The emphasis on these proxy sites is meant to highlight the important role they play, which can be overlooked given the attention paid to official Russian voices on one end of the spectrum, and the social media manipulation and cyber-enabled threats on the other.
  • The United States (U.S.) Department of Veterans Affairs (VA) has restarted its process for rolling out its new electronic health record (EHR) and announced it has “revised its previous schedule to convert facilities to its new HER capabilities with updated timelines for deployments in August in Columbus, Ohio, and October in Spokane, Washington.” The VA opted to replace its Veterans Health Information Systems and Technology Architecture (VistA) with a commercial off-the-shelf system the U.S. Department of Defense has chosen, Cerner Millennium. However, this $16 billion acquisition has encountered numerous difficulties and delays, which has caught he continued attention of Congress.
    • The VA claimed “The new timeline will preserve the 10-year implementation schedule and the overall cost estimates of VA’s EHR modernization program…[and] [a]fter the conversion at these sites, VA will bring other select facilities forward in the timeline.”
    • In June 2020, the U.S. Government Accountability Office (GAO) found:
      • VA met its schedule for making the needed system configuration decisions that would enable the department to implement its new EHR system at the first VA medical facility, which was planned for July 2020. In addition, VA has formulated a schedule for making the remaining EHR system configuration decisions before implementing the system at additional facilities planned for fall 2020.
      • VA’s Electronic Health Record Modernization (EHRM) program was generally effective in establishing decision-making procedures that were consistent with applicable federal standards for internal control. However, VA did not always ensure the involvement of relevant stakeholders, including medical facility clinicians and staff, in the system configuration decisions. Specifically, VA did not always clarify terminology and include adequate detail in descriptions of local workshop sessions to medical facility clinicians and staff to ensure relevant representation at local workshop meetings. Participation of such stakeholders is critical to ensuring that the EHR system is configured to meet the needs of clinicians and support the delivery of clinical care.
  • The United States (U.S.) Government Accountability Office (GAO) studied and reported on privacy and accuracy issues related to the use of facial recognition technology requested by the chairs of the House Judiciary and Oversight and Reform Committees. This report updates a 2015 report on the same issues and renews the agency’s call first made in 2013 that Congress “strengthen[] the current consumer privacy framework to reflect the effects of changes in technology and the marketplace—particularly in relation to consumer data used for marketing purposes—while also ensuring that any limitations on data collection and sharing do not unduly inhibit the economic and other benefits to industry and consumers that data sharing can accord.”
    • In the new report, the GAO explained that “[s]takeholders we interviewed identified additional activities that companies could improve the use of facial recognition technology. These activities include
      • defining the purpose for the technology’s use and clearly notifying consumers how companies are using the technology—such as surveillance or marketing;
      • identifying risks and limitations associated with using the technology and prohibiting certain uses (e.g., those with discriminatory purposes); and
      • providing guidance or training related to these issues.
    • The GAO asserted
      • However, these voluntary privacy frameworks and suggested activities that could help address privacy concerns or improve the use of facial recognition technology are not mandatory. Furthermore, as discussed earlier, in most contexts facial recognition technology is not currently covered by federal privacy law. Accordingly, we reiterate our 2013 suggestion that Congress strengthen the current consumer privacy framework to reflect the effects of changes in technology and the marketplace.
  • The United States Department of Justice (DOJ) “announced the dismantling of three terrorist financing cyber-enabled campaigns, involving the al-Qassam Brigades, Hamas’s military wing, al-Qaeda, and Islamic State of Iraq and the Levant (ISIS)…the government’s largest-ever seizure of cryptocurrency in the terrorism context.”
    • The DOJ claimed
      • These three terror finance campaigns all relied on sophisticated cyber-tools, including the solicitation of cryptocurrency donations from around the world.  The action demonstrates how different terrorist groups have similarly adapted their terror finance activities to the cyber age.  Each group used cryptocurrency and social media to garner attention and raise funds for their terror campaigns.  Pursuant to judicially-authorized warrants, U.S. authorities seized millions of dollars, over 300 cryptocurrency accounts, four websites, and four Facebook pages all related to the criminal enterprise.
  • The United States (U.S.) National Counterintelligence and Security Center (NCSC) revealed it has “has been providing classified briefings and other assistance to federal procurement executives, chief information officers and chief information security officers from across the U.S. Government on supply chain threats and risks stemming from contracting with five Chinese companies.” The NCSC explained the “supply chain security briefings are designed to assist federal agencies implement” Section 889 of the “John S. McCain National Defense Authorization Act (NDAA) for FY 2019” (P.L. 115-232).
    • The NCSC stated:
      • One provision of the NDAA prohibits the U.S. Government from directly using goods and services from five specified Chinese companies — Huawei, ZTE Corporation, Hytera Communications, Hanghzou Hikvision and Dahua Technology Company.
      • Another, broader, provision of Section 889 prohibits federal agencies from contracting with any company that uses goods and services from these five Chinese firms. This particular prohibition takes effect on August 13, 2020, unless a federal agency authorizes a waiver for a specific company, which can only be granted by the agency head after receiving NCSC supply chain security guidance.
  • The Federal Communications Commission (FCC) denied two petitions to stay an April 2020 rulemaking that would make the 6Ghz band of spectrum available to users other than the incumbents. The FCC noted “wo parties—Edison Electric Institute (EEI) and Association of Public-Safety Communications Officials-International, Inc. (APCO)—petitioned to stay the Order:
    • EEI, a trade association representing investor-owned electric utilities, seeks only to stay the effectiveness of the rules that apply to low-power indoor devices. 
    • APCO, a non-profit association of persons who manage and operate public-safety communications systems, seeks to stay the rules for both standard-power and low-power indoor operations.
    • In the rule and order, the FCC explained
      • We authorize two different types of unlicensed operations—standard-power and indoor low-power operations. We authorize standard-power access points using an automated frequency coordination (AFC) system. These access points can be deployed anywhere as part of hotspot networks, rural broadband deployments, or network capacity upgrades where needed. We also authorize indoor low-power access points across the entire 6 GHz band. These access points will be ideal for connecting devices in homes and businesses such smartphones, tablet devices, laptops, and Internet-of-things (IoT) devices to the Internet. As has occurred with Wi-Fi in the 2.4 GHz and 5 GHz bands, we expect that 6 GHz unlicensed devices will become a part of most peoples’ everyday lives. The rules we are adopting will also play a role in the growth of the IoT; connecting appliances, machines, meters, wearables, and other consumer electronics as well as industrial sensors for manufacturing.
  • In a speech, the Australian Competition and Consumer Commission (ACCC) Chair Rod Sims laid out the status of his agency’s actions against Google, Facebook, and other large technology platforms flowing from its final report in its “Digital Platforms Inquiry” that “proposes specific recommendations aimed at addressing some of the actual and potential negative impacts of digital platforms in the media and advertising markets, and also more broadly on consumers,” including:
    • The ACCC recently launched an action against Google regarding misleading representations it made to consumers to obtain their consent to expand the scope of personal information it collected and used about its’ users online activities.
    • In another case, which we brought against Google last year, we allege that Google misled consumers into sharing location data with Google. We contend Google did not clearly inform consumers using Android mobile devices that a particular account setting allowed Google to collect location data. We assert that many consumers may have unknowingly provided more of their personal location data to Google than they intended. Google then used consumers’ location data to enhance the value of its advertising services to prospective advertisers. This case is currently in Court with a hearing scheduled in late November.
    • Currently the ACCC is considering the acquisition by Google and Facebook of Fitbit and Giphy, respectively. We are considering questions such as whether they have the ability to give themselves advantages by favouring their own products, or whether these acquisitions are raising barriers to entry for other competitors.
    • In April 2020 the Federal Government directed the ACCC to develop a mandatory code of conduct to address bargaining power imbalances between Australian news media businesses and digital platforms. We recently published the draft legislation for the code.
  • A British appeals court overturned a decision that found that a police force’s use of facial recognition technology in a pilot program that utilized live footage to be legal. The appeals court found the use of this technology by the South Wales Police Force a violation of “the right to respect for private life under Article 8 of the European  Convention  on  Human  Rights,  data  protection  legislation,  and  the  Public  Sector Equality Duty (“PSED”) under section 149 of the Equality Act 2010.”

Further Reading

  • North Korean Hacking Group Attacks Israeli Defense Industry” by Ronen Bergman and Nicole Perlroth – The New York Times. Israel is denying the claims of a cybersecurity firm that hackers from the Democratic People’s Republic of Korea (DPRK) deeply penetrated its defense industry. Through the use of sophisticated phishing, including fake LinkedIn accounts and fluent English speakers, employees at Israeli defense companies were tricked into stalling spyware on these personal computers and then the hackers allegedly eventually accessed classified Israeli networks. The attacks show growing sophistication from DPRK hackers and that those looking to penetrate networks will always seek out weak spots.
  • Pentagon Requests More Time to Review JEDI Cloud Contract Bids” by Frank Konkel – Nextgov. The United States Department of Defense (DOD) has asked for yet more time to resolve who will win the second round of the Joint Enterprise Defense Infrastructure (JEDI) cloud contract that may prove worth more than $10 billion to the winner. The Pentagon had told the court it was on schedule to make an award ion the rebid of the contract that Microsoft had won over Amazon. The latter claimed political interference from the White House violated federal contract law, among other claims, resulting in this lawsuit.
  • Google rival’s study urges letting mobile users pick search defaults” by Ashley Gold – Axios. DuckDuckGo, a search engine, claims in newly released research that permitting Android users to choose their search engine would decrease Google’s market share by 20%. This could be relevant to the United States (U.S.) Department of Justice’s (DOJ) antitrust investigation. As a point of reference, in the U.S., the United Kingdom, and Australia, Google’s share of the mobile search engine market is 95%, 98% and 98%. DOJ may seriously look at this remedy as the European Commission (EC) imposed this as part of its antitrust case against Google, resulting in a record €4.34 billion fine.
  • Facial Recognition Start-Up Mounts a First Amendment Defense” By Kashmir Hill – The New York Times. Clearview AI has retained legendary First Amendment lawyer Floyd Abrams to make the argument that its collection, use, and dissemination of publicly photos scraped from the internet is protected as free speech. Abrams is quoting as saying that while privacy is, of course, an important right, the First Amendment to the United States Constitution would trump any such rights. It is expected that this argument will be employed in the myriad suits against the facial recognition technology firm in the range of suits against the company.
  • An advanced group specializing in corporate espionage is on a hacking spree” By Jeff Stone – cyberscoop. A new hacking group, RedCurl, has gone on a worldwide hacking campaign that broke into businesses in the United Kingdom, Canada, and other places. The hackers phished a number of businesses successfully by impersonating someone from the human resources in he organization.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Further Reading, Other Developments, and Coming Events (28 July)

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

Here are Further Reading, Other Developments, and Coming Events.

Coming Events

  • On 28 July, the House Rules Committee will consider the rule for and amendments to the H.R. 7617—Department of Defense Appropriations Act, 2021 [Defense, Commerce, Justice, Science, Energy and Water Development, Financial Services and General Government, Homeland Security, Labor, Health and Human Services, Education, Transportation, Housing, and Urban Development Appropriations Act, 2021].
  • On 28 July, the Senate Commerce, Science, and Transportation Committee’s Communications, Technology, Innovation, and the Internet Subcommittee will hold a hearing titled “The PACT Act and Section 230: The Impact of the Law that Helped Create the Internet and an Examination of Proposed Reforms for Today’s Online World.”
  • On 28 July the House Science, Space, and Technology Committee’s Investigations and Oversight and Research and Technology Subcommittees will hold a joint virtual hearing titled “The Role of Technology in Countering Trafficking in Persons” with these witnesses:
    • Ms. Anjana Rajan, Chief Technology Officer, Polaris
    • Mr. Matthew Daggett, Technical Staff, Humanitarian Assistance and Disaster Relief Systems Group, Lincoln Laboratory, Massachusetts Institute of Technology
    • Ms. Emily Kennedy, President and Co-Founder, Marinus Analytics
  • On  29 July, the House Judiciary Committee’s Antitrust, Commercial, and Administrative Law Subcommittee will hold its sixth hearing on “Online Platforms and Market Power” titled “Examining the Dominance of Amazon, Apple, Facebook, and Google” that will reportedly have the heads of the four companies as witnesses.
  • On 30 July the House Oversight and Reform Committee will hold a hearing on the tenth “Federal Information Technology Acquisition Reform Act” (FITARA) scorecard on federal information technology.
  • On 30 July, the Senate Commerce, Science, and Transportation Committee’s Security Subcommittee will hold a hearing titled “The China Challenge: Realignment of U.S. Economic Policies to Build Resiliency and Competitiveness” with these witnesses:
    • The Honorable Nazak Nikakhtar, Assistant Secretary for Industry and Analysis, International Trade Administration, U.S. Department of Commerce
    • Dr. Rush Doshi, Director of the Chinese Strategy Initiative, The Brookings Institution
    • Mr. Michael Wessel, Commissioner, U.S. – China Economic and Security Review Commission
  • On 4 August, the Senate Armed Services Committee will hold a hearing titled “Findings and Recommendations of the Cyberspace Solarium Commission” with these witnesses:
    • Senator Angus S. King, Jr. (I-ME), Co-Chair, Cyberspace Solarium Commission
    • Representative Michael J. Gallagher (R-WI), Co-Chair, Cyberspace Solarium Commission
    • Brigadier General John C. Inglis, ANG (Ret.), Commissioner, Cyberspace Solarium Commission
  • On 6 August, the Federal Communications Commission (FCC) will hold an open meeting to likely consider the following items:
    • C-band Auction Procedures. The Commission will consider a Public Notice that would adopt procedures for the auction of new flexible-use overlay licenses in the 3.7–3.98 GHz band (Auction 107) for 5G, the Internet of Things, and other advanced wireless services. (AU Docket No. 20-25)
    • Radio Duplication Rules. The Commission will consider a Report and Order that would eliminate the radio duplication rule with regard to AM stations and retain the rule for FM stations. (MB Docket Nos. 19-310. 17-105)
    • Common Antenna Siting Rules. The Commission will consider a Report and Order that would eliminate the common antenna siting rules for FM and TV broadcaster applicants and licensees. (MB Docket Nos. 19-282, 17-105)
    • Telecommunications Relay Service. The Commission will consider a Report and Order to repeal certain TRS rules that are no longer needed in light of changes in technology and voice communications services. (CG Docket No. 03-123)

Other Developments

  • The United States’ (US) Office of Management and Budget (OMB), an agency within the Executive Office of the President, has issued a memorandum in the same vein as other Trump Administration initiatives to increase the US government’s buying of goods and services produced domestically. Noting that 40% of the funds provided by Congress through annual legislation will be spent between 1 July and 30 September (roughly $200 billion), OMB urged federal agencies “to keep the following considerations in mind to support timely awards and maximize return on investment from each taxpayer dollar” among others:
    • Take full advantage of acquisition flexibilities and innovative tools. This week, the President’s Management Agenda unveiled a new cross-agency priority goal (CAP Goal) on “frictionless acquisition.” This CAP Goal creates a management platform to leverage modem buying strategies that have been shown to achieve just-in-time delivery with improved customer satisfaction and enable access to a broader and more innovative suite of companies and solutions. Agencies can review the resources on acquisition innovation and opportunities for collaboration by going to the frictionless CAP Goal on performance.gov.
      • The Goal Statement of this new CAP is “The Federal Government will deliver commercial items at the same speed as the market place & manage customers’ delivery expectations for acquisitions of non-commercial items by breaking down barriers to entry using modern business practices and technologies” as explained in a detailed presentation on frictionless acquisition released this month.
    • Use the resources of category management. As part of the ongoing transformation of federal acquisition, procurement involving common needs has been organized around categories of spending led by market experts who share business intelligence and help agencies avoid duplicative contracting work. This business structure has saved taxpayers more than $27 billion since FY 2016 and made it much easier for buyers to make rapid, well­ informed decisions on how best to acquire IT hardware, security, consulting services and many other every day needs that account for more than half of all contract spending. To stay current with market trends and available federal solutions, agencies should bookmark the category management dashboards on the acquisition gateway at https://hallways.cap.gsa.gov/app/#/.
    • Buy American. E.O. 13881 strengthens the general preference for American-made goods and, for the first time in 65 years, increases the percentage of U.S. manufactured content that must be in a product to qualify for the preference, including a very high standard for iron and steel. Agencies are encouraged to work with the Federal Acquisition Regulatory Council (FAR Council) to consider early implementation, as appropriate, while the rulemaking process proceeds.
    • In a related memorandum issued earlier this month, OMB asserted
      • Under the President’s Management Agenda and the leadership of OMB ‘s Office of Federal Procurement Policy (OFPP), the Administration has elevated the importance of acquisition innovation and category management as key pillars of a modernized procurement system. These pillars are proving to be critical assets in the face of market conditions that require heightened agility and the ongoing need r physical distancing as communities take steps to reopen. We are seeing smart use of existing contract vehicles and resources, supported by our category management market experts, such as for cleaning and distinction, information technology related to telework and healthcare, and enhanced entry screening services. We are also seeing growing examples of agencies leveraging innovative business practices, such as virtual acquisitions, that save time and enable acquisitions to continue where they might otherwise have been stopped.
      • OMB went on to detail best practices and examples in how agencies have adapted their procurement authority to the pandemic commensurate with ongoing Administration priorities such as category management
  • Senator Amy Klobuchar (D-MN) and some of her Democratic colleagues wrote Attorney General William Barr “to raise serious concerns regarding Google LLC’s (Google) proposed acquisition of Fitbit, Inc. (Fitbit)”. They stated
    • We are aware that the Antitrust Division of the Department of Justice is investigating this transaction and has issued a Second Request to gather additional information about the acquisition’s potential effects on competition. Amid reports that Google is offering modest, short-term concessions to overseas enforcers to avoid a full-scale investigation of the transaction in Europe, we write to urge the Division to continue with its efforts to conduct a thorough and comprehensive review of this proposed merger and to take any and all enforcement action warranted by the law and the evidence.
    • This letter comes at a time when the Department of Justice is considering Google’s potential antitrust practices and whether to file suit. The European Commission is also investigating the Google acquisition of FitBit.
    • Klobuchar is the Ranking Member of the Senate Judiciary Committee’s Antitrust, Competition Policy and Consumer Rights Subcommittee and was joined on the letter by Senators Richard Blumenthal (D-CT), Cory Booker (D-NJ), Mazie K. Hirono (D-HI), Sherrod Brown (D-OH), Mark Warner (D-VA), and Elizabeth Warren (D-MA).
  • Facebook and members of a class action and their attorneys have reached a second settlement in a suit brought under Illinois’ “Biometric Information Privacy Act” after a first settlement was rejected by the judge overseeing Patel, et al. v. Facebook, Inc.,. In January, the plaintiffs and Facebook agreed on a $550 million settlement to resolve claims the social media giant used and stored  people’s images contrary to the Illinois ban on such practices absent explicit consent. Facebook faced liability of up to $5000 per person affected and more than $40 billion in total potential liability. However, the judge thought the settlement was too low considering the Illinois legislature expressed its intention that violations would be punished more on the order of $1000 per person. Now, the parties have added $100 million, arriving at a $650 million settlement the judge will still need to bless.
  • Secretary of State Mike Pompeo made a speech at the Ronald Reagan Library “to make clear that the threats to Americans that President Trump’s China policy aims to address are clear and our strategy for securing those freedoms established.” Pompeo’s speech in the fourth in a series of Trump Administration officials making the Administration’s case against the People’s Republic of China (PRC), in some cases conflating PRC’s vying with the United States worldwide with the COVID-19 pandemic, suggesting the PRC is responsible for the course of the virus in the US and not Trump Administration policy.
  • The Department of Defense’s National Security Agency (NSA) and Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) “released an advisory for critical infrastructure Operational Technology (OT) and Industrial Controls Systems (ICS) assets to be aware of current threats we observe, prioritize assessing their cybersecurity defenses and take appropriate action to secure their systems.” The agencies asserted “[d]ue to the increase in adversary capabilities and activities, the criticality to U.S. national security and way of life, and the vulnerability of OT systems, civilian infrastructure makes attractive targets for foreign powers attempting to harm to US interests or retaliate for perceived US aggression.”
  • The Secretary of Defense released a memorandum for Department of Defense (DOD) regarding “poor Proper Operations Security (OPSEC) practices within DOD in the past have resulted in the unauthorized disclosure or ” leaks” of controlled unclassified information (CUI), including information to be safeguarded under the CUI category for OPSEC, as well as classified national security information (together referred to here as “non-public information”). Secretary of Defense Mark Esper asserted “[o]ngoing reviews reveal a culture of insufficient OPSEC practices and habits within the DOD” and stated “[m]y goal, through an OPSEC campaign, is to change that culture across DOD by reminding DOD personnel.”
  • The United Kingdom’s Information Commissioner’s Office (ICO) published its annual report for 2019-2020, “covering what the Information Commissioner has called a “transformative period” for privacy and data protection and broader information rights.” The ICO offered these highlights:
    • Supporting and protecting the public and organisations
      • The Age Appropriate Design Code, introduced by the Data Protection Act 2018, was published in January. When it comes into full effect, it will help steer businesses to comply with current information rights legislation.
      • We intervened in the High Court case on the use of facial recognition technology by the South Wales Police as part of our work to ensure that the use of this technology does not infringe people’s rights.  As a response to the judgement, we issued the first Commissioner’s Opinion.
      • Our new freedom of information strategy was launched which sets out how we work to create a culture of openness in public authorities.  It also commits us to making the case for reform of the access to information law as set out previously in our Outsourcing Oversight report.
      • In figures:
        • We received 38,514 data protection complaints.
        • We closed 39,860 data protection cases (up from 34,684 in 2018/19) .
        • We received 6,367 freedom of information complaint cases.
    • Enforcement
      • We took regulatory action 236 times in response to breaches of the legislation that we regulate. That included 54 information notices, eight assessment notices, seven enforcement notices, four cautions, eight prosecutions and 15 fines.  
      • Over 2,100 investigations were conducted.
    • Innovation
      • Through our successful regulatory sandbox service, we have worked with a number of innovative organisations of all sizes to explore new data uses in a safe way while helping to ensure their customers’ privacy.
      • We also received additional resources from the government’s regulators innovation fund to set up a hub with other regulators to streamline and reduce burdens on businesses and public services using data.
      • In January, we launched our consultation on an AI framework to allow the auditing and assessment of the risk associated with AI applications and how to ensure their use is transparent, fair and accountable.
    • International
      • On a global scale, we continue to chair the Global Privacy Assembly, driving forward the development of the assembly into an international network that can have an impact on key data protection issues across the year. This helps to protect UK citizen’s personal data as it crosses borders and helps UK businesses operating internationally.
      • Due to the period covered by the report it does not reflect the impact of COVID-19 although, acknowledging the pandemic, Ms Denham said: ”The digital evolution of the past decade has accelerated at a dizzying speed in the past few months. Digital services are now central to how so many of us work, entertain ourselves and talk to friends and family.”

Further Reading

  • The Twitter Hacks Have to Stop” – The Atlantic. Bruce Schneier makes the case that the United States and other western democracies must step in and regulate vital platforms like Twitter for security and size given the central role they play in most societies. Letting these companies implement their own security without oversight or transparency has led to a situation where the account of world leaders or government agencies are vulnerable to hacks and misinformation. Schneier thinks the size and dominance of Twitter, Facebook, etc is a major part of this problem that must also be addressed.
  • US and Australia set to launch campaign to counter disinformation” – Sydney Morning Herald. Two of the Five Eyes allies met in Washington on 27 July for their annual Australia-U.S. Ministerial Consultations (AUSMIN) and part of their planning on how to counter the People’s Republic of China (PRC) is working together on an effort to address the PRC’s disinformation campaigns. The already close relationship between Washington and Canberra has deepened as tensions between the United States (US) and PRC continue to escalate. However, the US and Australia are framing this initiative as aiming to counter all disinformation in the Indo-Pacific region, suggesting other nations may be waging disinformation campaigns of concern, including the Russian Federation and the Democratic People’s Republic of Korea.
  • Russia’s GRU Hackers Hit US Government and Energy Targets” – WIRED. Starting in December 2018, APT28 (aka Fancy Bear), a Russian hacking group, targeted and penetrated a number of United States (US) entities, including federal and state governments, educational institutions, and energy companies. APT28 is closely associated with Glavnoye razvedyvatel’noye upravleniye (GRU), the Main Directorate of the General Staff of the Armed Forces of the Russian Federation and is the entity behind the takedowns of Ukraine’s electrical grid in 2015 and 2016 among other high profile hacks and attacks. The timing of these attacks, sometimes executed as phishing attacks, is interesting for it comes after US Cyber Command and possibly the Central Intelligence Agency (CIA) took down Russia’s Internet Research Agency and other actions designed to deter Russian interference in the 2019 mid-term elections in November 2018.
  • “Hurting People  At Scale” – Facebook’s Employees Reckon With The Social Network They’ve Built” – BuzzFeed News. This article documents the dissent and turmoil inside the company about content moderation, which some see the social media giant doing dismally. Some employees and ex-employees are taking issue with how CEO Mark Zuckerberg and his leadership are acting or not to take down extreme and violent content.
  • Big Tech Funds a Think Tank Pushing for Fewer Rules. For Big Tech.” – The New York Times. The Global Antitrust Institute at George Mason University’s Antonin Scalia Law School has been pushing for less regulation of antitrust statutes and regulations, especially in “educating” antitrust officials at conferences. It has also been financially supported by large technology companies which benefit from these policies and has not been transparent about its funding or the extent to which these companies’ positions on antitrust inform its efforts and output. A similar New York Times investigation into other Washington DC think tanks exposed the transactional nature of some of these institutions, donors, and positions.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Exposure Notification Privacy Act Introduced

A third COVID-19 privacy bill is unveiled in the Senate that may be more about messaging and positioning on broader privacy legislation. In any event, the odds on such legislation being enacted in the near term is not high.

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

This week, a third COVID-19 privacy bill was released that occupies a middle ground between the other two bills. However, despite being bipartisan and between the two other bills, it is still not likely Congress will enact either targeted privacy legislation or broader, national privacy legislation this year. And yet, a number of the bill’s requirements track more closely with the Democratic bill released last month, suggesting some of the ground may be shifting under some of the outstanding issues. For example, the bill would not preempt state laws and while it would not create a new federal means a person could sue a company for violations, it expressly preserves all existing state and federal avenues a person could use to litigate.

On 3 June, Senate Commerce, Science and Transportation Committee Ranking Member Maria Cantwell (D-WA) and Bill Cassidy (R-LA) introduced the “Exposure Notification Privacy Act” (S.3861) with Senator Amy Klobuchar (D-MN) cosponsoring. The Senators released a section-by-section and a summary of the bill, too. This bill follows the “Public Health Emergency Privacy Act” (S.3749) and the “COVID-19 Consumer Data Protection Act” (S.3663), bills that take approaches aligned with the Democratic and Republican thinking on privacy respectively. (See here for more analysis).

The key term in the Exposure Notification Privacy Act is “automated exposure notification service,” (AENS) for it informs what is “covered data,” and hence covered by the bill’s protections, and it seems fairly targeted to address only those apps or services created to track contacts for purposes of reducing the spread of COVID-19. This term is defined as:

  • a website, online service, online application, mobile application, or mobile operating system
  • offered in interstate commerce in the United States
  • designed, in part or in full, specifically to be used for, or marketed for, the purpose of digitally notifying, in an automated manner, an individual who may have become exposed to an infectious disease

And yet, because what is covered data is limited to information “collected, processed, or transferred in connection with an AENS,” it is a reasonable reading of this language that an entity obtaining information from a data broker in order to track COVID-19 would be outside the definition of covered data. The same would seem to be true of social media platforms that collect and process data from their users incidentally to their main business of monetizing these data. This seems like a fairly large loophole that would mean the “Exposure Notification Privacy Act” would really focus tightly on technology programs, apps, and platforms mostly used to track and prevent infectious diseases with the voluntary, knowingly consent of users.

AENS would need to obtain express, affirmative consent a person provides after being provided with conspicuous, easy-to-understand notice about data collection, usage, processing, and transfer. There must also be a conspicuous means of withdrawing such consent. In any event, a person with an “authorized diagnosis” would control whether this information is processed by the AENS.

AENS and platform operators must publish “a privacy policy that provides a detailed and accurate representation of that person or entity’s covered data collection, processing, and transfer activities in connection with such person or entity’s AENS or the facilitation of such service.” These privacy policies must divulge “each category of covered data the person or entity collects and the limited allowable processing purposes for which such covered data is collected” and

  • “a description of the person or entity’s covered data minimization and retention policies;
  • how an individual can exercise the individual rights described in this title;
  • a description of the person or entity’s covered data security policies.”

As an aside, platform operators are entities “other than a service provider who provides an operating system that includes features supportive of an AENS and facilitates the use or distribution of such AENS to the extent the technology is not used by the platform operator as an AENS.” And so, platform operators might be Google, Apple, Microsoft, or a handful of others to the extent their operations systems are supporting the AENS in its purpose to track infectious diseases. Hence, some of the bill’s requirements will be imposed on such entities.

Of course, the bill text does not limit this measure just to COVID-19 and extends it to all infectious diseases, which is perhaps a nod to a new normal in which many Americans have apps on their phone or wearables on their bodies designed to counter contracting the flu or other, less dangerous viruses (See below in further reading for an article on FitBit and other apps and platforms that may be poised to do just this and a wearable Singapore may debut shortly.)

There are restrictions on whom may receive covered data from AENS. These entities may only alert individuals of possible exposure if they opted in or a public health authority, transfer these data to service providers to maintain, fix, or improve the system or for security purposes, or to comply in a legal action. The bill also seeks to assuage fears that the sensitive information of people collected for the purposes of combatting infectious diseases could be transferred to and used by law enforcement and surveillance agencies. The legislation explains “[i]t shall be unlawful for any person, entity, or Executive agency to transfer covered data to any Executive agency unless the information is transferred in connection with an investigation or enforcement proceeding under this Act.” Consequently, it would appear the Centers for Disease Control and Prevention (CDC) would be able to transfer covered data to the FTC for an investigation, it could not do the same with the Federal Bureau of Investigation (FBI). In this vein, Executive agencies can only process or transfer for a health purpose related to infectious diseases or in connection with an FTC or state investigation or enforcement action. However, this limitation does not seem to bar a state public health authority from conducting such a transfer to a state law enforcement agency.

There are data minimization responsibilities AENS would need to meet. AENS may not “collect or process any covered data…beyond the minimum amount necessary to implement an AENS for public health purposes; or…for any commercial purpose.” This would seem to limit AENS to collecting, processing and sharing personal information strictly necessary for the purpose of tracking infectious diseases. Likewise, AENS must delete a person’s covered data upon request and on a rolling basis per public health authority guidance. Service providers working with AENS must comply with the latter’s direction to delete covered data.

AENS must “establish, implement, and maintain data security practices to protect the confidentiality, integrity, availability, and accessibility of covered data…[that] be consistent with standards generally accepted by experts in the information security field.” The bill further specifies that such practices must include identifying and assessing risks, corrective and preventive actions for risks, and notification if an AENS is breached. The bill would also ban discrimination on the basis of covered data collected or processed by an AENS or on the basis of a person’s decision not to use an AENS.

As a means of providing oversight, the Privacy and Civil Liberties Oversight Board (PCLOB) would have its mandate enlarged to include “health-related epidemics,” meaning the Board could investigate and issue reports on how well or poorly the act is being implemented with respect to privacy and civil liberties.  To this end, within one year of enactment, PCLOB “shall issue a report, which shall be publicly available to the greatest extent possible, assessing the impact on privacy and civil liberties of Government activities in response to the public health emergency related to the Coronavirus 2019 (COVID–19), and making recommendations for how the Government should mitigate the threats posed by such emergency.”

AENS must also collaborate with public health authorities, which are federal and state agencies charged with protecting and ensuring public health. AENS could only collect, process, and transfer actual diagnoses of an infectious disease and could not do so with potential or presumptive diagnoses. AENS would be charged with issuing public guidance to help people understand the notifications of the system and any limitations with respect to accuracy and reliability. Moreover, AENS must also publish metrics (i.e. “measures of the effectiveness of the service”), including adoption rates. Presumably these latter two requirements would allow for greater transparency and also greater insight into how widely an app or platform is being adopted.

There are a few unexpected wrinkles, however. For example, the act only bars deceptive acts, and not unfair ones, which is a deviation from Section 5 of the Federal Trade Commission (FTC) Act, necessitating language in the bill to this effect rather than the usual reference to 15 USC 45. The bill also places a positive duty on service providers to report violations of the act by either AENS or public health authorities to these entities. It is possible that if such a report accurately depicted a violation the AENS or public health authority then neglected to remedy, the enforcers of the act would have an easier case to make that a violation occurred.

As mentioned, the FTC would police and enforce the act with an enlarged jurisdiction to include common carriers and non-profits. The agency would treat violations as if they were violations of an FTC regulation barring unfair or deceptive practices, which allows the agency to seek civil fines for first offenses. The FTC would not, however, receive rulemaking authority, and should regulations be needed, the agency would be forced to use the cumbersome Moss-Magnuson process.

However, and like the “Public Health Emergency Privacy Act,” the FTC would receive explicit authority to go to court itself instead of having to work through the Department of Justice (DOJ), which is currently the case. That this new wrinkle has appeared in two recent bills largely sponsored by Democrats suggests this may be a new demand for targeted and national privacy legislation and also may reflect diminished faith in the DOJ to vigorously enforce privacy legislation.

State attorneys general could enforce the act in the same ways as the FTC, meaning civil penalties in the first instance being possible. State attorneys general may also bring concurrent state claims, alleging violations under state laws. And so, the bill does not preempt state laws, as a section of the bill goes to some length to stress.

Interestingly, while the bill does not create a private right of action, it suggests a possible way of resolving that sticking point in negotiations between Republicans and Democrats. The bill stresses that it does not foreclose any existing common law federal and state rights of action and would therefore allow people to use any existing law to sue covered entities. This would allow tort suits and other suits to move forward. That Cassidy has cosponsored legislation with this language does not necessarily indicate this is now the will of the Senate Republican Conference.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Odds and Ends (14 April)

Every week, not surprisingly, there are more developments in the technology space than I can reasonably get to. And so, this week, at least, I’ve decided to include some of the odds and ends.

To no great surprise, federal and state elected officials have been questioning Zoom on its security and privacy practices and demanding improvements thereof.

Earlier this month, Senator Michael Bennet (D-CO) sent a letter after the Washington Post found that thousands of Zoom calls could be accessed online that contained people’s sensitive personal information such as therapy sessions and financial information. The culprit is apparently Zoom’s practice of using an identical name format for each video, meaning once someone knows the format they can look up many videos. Security experts call for unique names for each file for a platform like Zoom so as to avoid this outcome.

With these revelations in mind, Bennet wrote Zoom CEO Eric Yuan, asking him to “provide answers to the following questions no later than April 15, 2020: 

  • Please describe all data that Zoom collects from users with and without accounts and please specify how long Zoom retains this data. 
  • Please list every third party and service provider with which Zoom shares user data and for what purposes and level of compensation, if any.
  • Will Zoom require participants to provide affirmative consent if their calls are being recorded or will later be uploaded to the cloud or transcribed? When recorded calls are uploaded and transcribed, will Zoom provide all participants a copy along with an opportunity to correct errors in the recording?
  • Does Zoom plan to change the naming convention that allowed thousands of videos to become easily searchable online?
  • What steps has Zoom taken to notify users featured in videos that are now searchable online? And when users wish for these videos to be removed, what steps will Zoom take to do so, for example, by engaging the third parties where the videos are now viewable?
  • Which privacy settings for users with and without accounts are activated by default, and which require them to opt-in? Does Zoom plan to expand its default privacy settings?
  • What dedicated staff and other resources is Zoom devoting to ensure the privacy and safety of users on its platform?

Bennet was also quoted in a Politico article along with other Democratic Members calling for the Federal Trade Commission (FTC) to open an investigation. House Energy and Commerce Chair Frank Pallone Jr (D-NJ) and Consumer Protection & Commerce Subcommittee Chair Jan Schakowsky (D-IL) were both quoted as being in support of the FTC investigating. Senators Amy Klobuchar (D-MN) and Sherrod Brown (D-OH) are also requesting that the agency investigate Zoom’s claims on security and privacy as promised versus what the company is actually providing. Brown sent letters to Zoom and the FTC on this matter.

Moreover, the Politico article relates that In blessing Zoom for Government from a security standpoint, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency and the General Services Administration’s Federal Risk and Authorization Management Program explained in a statement:

We advise federal government users to not initiate video conferences using Zoom’s free/commercial offering, but instead to use Zoom for Government

More recently, Senators Elizabeth Warren (D-MA) and Ed Markey (D-MA) asked Zoom how well they are protecting the personal data of students per the Family Education Rights and Privacy Act (FERPA) and the Children’s Online Privacy Protection Act (COPPA). If the FTC were to find COPPA violations, the company would be facing as much as $42,530 per violation.

Markey wrote the FTC separately, urging agency “to issue guidance and provide a comprehensive resource for technology companies that are developing or expanding online conferencing tools during the coronavirus pandemic, so that these businesses can strengthen their cybersecurity and protect customer privacy.” He argued that “[a]t a minimum, this guidance should cover topics including:

  • Implementing secure authentication and other safeguards against unauthorized access;
  • Enacting limits on data collection and recording;
  • Employing encryption and other security protocols for securing data;and
  • Providing clear and conspicuous privacy policies for users.

Markey also “request[ed] that the FTC develop best practices for users of online conferencing software, so that individuals can make informed, safe decisions when choosing and utilizing these technologies. At a minimum, this guidance should cover topics including:

  • Identifying and preventing cyber threats such as phishing and malware;
  • Sharing links to online meetings without compromising security;
  • Restricting access to meetings via software settings; and
  • Recognizing that different versions of a company’s service may provide varying levels of privacy protection.

Many of the Democrats on the House Energy and Commerce Committee also asked Zoom about its recent update to privacy policies made after some of its substandard practices came to light. These Members stated:

“Despite Zoom’s recent clarifications to its privacy policy, a review of Zoom’s privacy policy shows that Zoom may still collect a significant amount of information about both registered and non-registered users from their use of the platform as well as from third parties. Zoom may use that information for a broad range of purposes, including for targeted marketing from both Zoom and third parties… As consumers turn to Zoom for business meetings, remote consultations with psychologists, or even virtual happy hours with friends, they may not expect Zoom to be collecting and using so much of their information.”

Moreover, federal agency Chief Information Officers are formally and informally directing agency employees not to use the commercial/free edition of Zoom as detailed by Federal News Network.

Last week, CISA and the United Kingdom’s National Cyber Security Centre (NCSC) released a joint advisory titled “COVID-19 exploited by malicious cyber actors.” The two agencies argued:

Malicious cyber actors are using the high appetite for COVID-19 related information as an opportunity to deliver malware and ransomware and to steal user credentials. Individuals and organisations should remain vigilant.

CISA and NCSC noted “[t]hreats observed include:

  • Phishing, using the subject of coronavirus orCOVID-19 as a lure
  • Malware distribution using coronavirus orCOVID-19 themed lures
  • Registration of new domain names containing coronavirus orCOVID-19 related wording
  • Attacks against newly (and often rapidly) deployed remote access or remote working infrastructure.

The agencies added they “are working with law enforcement and industry partners to disrupt or prevent these malicious COVID-19 themed cyber activities.”

The Electronic Privacy Information Center (EPIC) sent the FTC a letter, renewing the concerns it detailed on Zoom’s security practices in its complaint last year asking the agency to open an investigation. EPIC stated “[w]e asked you to open an investigation, to compel Zoom to fix the security flaws with its conferencing services, and to investigate the other companies engaged in similar practices.” The organizations stated that “[w]e anticipated that the FTC, with a staff of more than a 1,000 (EPIC has about a dozen people), would find many problems we missed…[t]hat would lead to a change in business practices, a consent order, and 20 years of agency oversight.”

However, the FTC and the Federal Communications Commission (FCC) sent  joint letters “to three companies providing Voice over Internet Protocol (VoIP) services, warning them that routing and transmitting illegal robocalls, including Coronavirus-related scam calls, is illegal and may lead to federal law enforcement against them.” The FTC and FCC “sent a separate letter to USTelecom – The Broadband Association (USTelecom), a trade association that represents U.S.-based telecommunications-related businesses…thank[ing] USTelecom for identifying and mitigating fraudulent robocalls that are taking advantage of the Coronavirus national health crisis, and notes that the USTelecom Industry Traceback Group has helped identify various entities that appear to be responsible for originating or transmitting Coronavirus-related scam robocalls.”

The FCC also denied “an emergency petition requesting an investigation into broadcasters that have aired the President of the United States’ statements and press conferences regarding the novel coronavirus (COVID-19) and related commentary by other on-air personalities” that Free Press filed. The FCC claimed “the Petition misconstrues the Commission’s rules and seeks remedies that would dangerously curtail the freedom of the press embodied in the First Amendment.” In its press release, the FCC added “[t]he decision also makes clear that the FCC will neither act as a roving arbiter of broadcasters’ editorial judgments nor discourage them from airing breaking news events involving government officials in the midst of the current global pandemic.”

Markey and Senator Richard Blumenthal (D-CT) sent a letter “to Google requesting information about the company’s recently announced COVID-19 Community Mobility Reports.” They asked Google to answer the following

  • Does Google plan to share with any government entities, researchers, or private sector partners any users’ coronavirus-related personal data or pseudonymous information
  • Does Google plan to use datasets other than Location History for its Community Mobility Reports?
  • What measures has Google undertaken to ensure that the trends detailed in the reports are representative of the entire population of an area, including non-Google users, those without smartphones, or individuals that have opted out of Location History?
  • Does Google expect that the Community Mobility Reports to be accurate for more rural or less connected communities?
  • What guidance has Google provided to public health officials about how to interpret the reports, including how Google accounts for common social patterns and categorizes locations?

Blumenthal also joined a letter sent along with Senator Mark Warner (D-VA) and Representative Anna Eshoo (D-CA) “a letter to White House Senior Advisor Jared Kushner, raising questions about reports that the White House has assembled technology and health care firms to establish a far-reaching national coronavirus surveillance system.” They stated their “fear that – absent a clear commitment and improvements to our health privacy laws – these extraordinary measures could undermine the confidentiality and security of our health information and become the new status quo.”

Warner, Eshoo, and Blumenthal argued

Given reports indicating that the Administration has solicited help from companies with checkered histories in protecting user privacy, we have serious concerns that these public health surveillance systems may serve as beachheads for far-reaching health data collection efforts that go beyond responding to the current crisis. Public health surveillance efforts must be accompanied by governance measures that provide durable privacy protections and account for any impacts on our rights. For instance, secondary uses of public health surveillance data beyond coordinating our public health response should be strictly restricted. Any secondary usage for commercial purposes should be explicitly prohibited unless authorized on a limited basis with appropriate administrative process and public input. 

They asked that Kushner answer these questions:

  1. Which technology companies, data providers, and other companies have you approached to participate in the public health surveillance initiative and on what basis were they chosen?
  2. What measures will the Administration put into place to ensure that federal agencies and private sector partners do not misuse or reuse health data for non-pandemic-related purposes, including for training commercial algorithmic decision-making systems, and to require the disposal of data after the sunset of the national emergency? What additional steps have you taken to protect health data from their potential misuse or mishandling?
  3. What is the program described in the press meant to accomplish? Will it be used for the allocation of resources, symptom tracking, or contact tracing? What agency will be operating the program and which agencies will have access to the data? 
  4. When will the federal government stop collecting and sharing health data with the private sector for the public health surveillance initiative? Will the Administration commit to a sunset period after the lifting of the national emergency?
  5. What measures will the Administration put into place to ensure that the public health surveillance initiative protects against misuse of sensitive information and mitigates discriminatory outcomes, such as on the basis of racial identity, sexual orientation, disability status, and income?
  6. Will the Administration commit to conducting an audit of data use, sharing, and security by federal agencies and private sector partners under any waivers or surveillance initiative within a short period after the end of the health emergency?
  7. What steps has the Administration taken under the Privacy Act, which limits the federal government’s authority to collect personal data from third parties and imposes numerous other privacy safeguards?
  8. Will you commit to working with us to pass strong legal safeguards that ensure public health surveillance data can be effectively collected and used without compromising privacy? 

Finally, Consumer Reports showed that Facebook’s system of preventing incorrect COVID-19 from being posted on its platform is not as robust as a top company official claimed. Kaveh Waddell of Consumer Reports stated

Facebook has been saying for weeks that it’s intent on keeping coronavirus misinformation off its platforms, which include Instagram and WhatsApp. During one recent interview with NPR, Nick Clegg, Facebook’s vice president for global affairs and communication, cited two examples of the kinds of posts the company would not allow: any message telling people to drink bleach, or discrediting urgent calls for social distancing to slow the pandemic. 

Waddell continued

  • I’ve been covering Facebook and online misinformation for several years, and I wanted to see how well the company is policing coronavirus-related advertising during the global crisis. So I put the two dangerous claims Clegg brought up, plus other false or dangerous information, into a series of seven paid ads.
  • Facebook approved them all. The advertisements remained scheduled for publication for more than a week without being flagged by Facebook. Then, I pulled them out of the queue to make sure none of them were seen by the public. Consumer Reports made certain not to publish any ads with false or misleading information.